Run respec without sandbox

[ralfhandl]

Alternative to

• respec.yaml: use older Ubuntu #4337

Respec depends on puppeteer which does not support running in a sandbox with the latest Ubuntu. Official recommendation:

What if I don‘t have root access to the machine and can’t install anything?

You will need to run developer builds with the --no-sandbox command line flag, but be aware that this disables critical security features of Chromium and should never be used when browsing the open web.

I don't want to mess with the GitHub Ubuntu image, we are not browsing the open web, and we only tell puppeteer to access local HTML files that we generated ourselves, so this should be safe enough.

Tick one of the following options:

• schema changes are included in this pull request
• schema changes are needed for this pull request but not done yet
• no schema changes are needed for this pull request

[duncanbeevers]

I don't know how far down the rabbit hole it's worth going on this, but I don't think it's unreasonable to set up an AppArmor profile for puppeteer.

There's an aa-genprof tool we can use during a build to determine what permissions are necessary and to automatically generate a minimal AppArmor profile, which we can then commit and enforce.

If a profile does not exist for the program, aa-genprof will create one using aa-autodep
Genprof will then:
- set the profile to complain mode
- write a mark to the system log
- instruct the user to start the application to be profiled in another window and exercise its functionality
It then presents the user with two options, (S)can system log for entries to add to profile and (F)inish.

[ralfhandl]

I do not want to go anywhere near that rabbit hole.

There are two easy ways to get our spec build process running again:

• use the last working Github Action runner version that worked (respec.yaml: use older Ubuntu #4337)
• use a respec option to make it work (this PR)

Or we can leave the build process broken until the involved tools start working together again in a future version.

Side note: Arazzo and Overlays went back to the last working Ubuntu image provided by GitHub.

[lornajane]

I think this is a good solution for the time being. Thank you!