Merge main into releases/v3 (#2444)

* Update changelog and version after v3.26.4 * Update checked-in dependencies * Only run check SIP enablement once in `init` step (#2441) Co-authored-by: Henry Mercer <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Update changelog for v3.26.5 --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Angela P Wen <[email protected]> Co-authored-by: Henry Mercer <[email protected]>
github · Aug 23, 2024 · 2c779ab · 2c779ab
2 parents f0f3afe + 68cd1f9
commit 2c779ab
Show file tree

Hide file tree

Showing 13 changed files with 53 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.26.5 - 23 Aug 2024
+
+- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)
+
 ## 3.26.4 - 21 Aug 2024
 
 - _Deprecation:_ The `add-snippets` input on the `analyze` Action is deprecated and will be removed in the first release in August 2025. [#2436](https://github.com/github/codeql-action/pull/2436)

diff --git a/lib/environment.js b/lib/environment.js
diff --git a/lib/environment.js.map b/lib/environment.js.map
diff --git a/lib/init-action.js b/lib/init-action.js
diff --git a/lib/init-action.js.map b/lib/init-action.js.map
diff --git a/lib/util.js b/lib/util.js
diff --git a/lib/util.js.map b/lib/util.js.map
diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.26.4",
+  "version": "3.26.5",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

diff --git a/src/environment.ts b/src/environment.ts
@@ -50,6 +50,12 @@ export enum EnvVar {
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 
+  /**
+   * For MacOS. Result of `csrutil status` to determine whether System Integrity
+   * Protection is enabled.
+   */
+  IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",
+
   /** UUID representing the current job run. */
   JOB_RUN_UUID = "JOB_RUN_UUID",
 

diff --git a/src/init-action.ts b/src/init-action.ts
@@ -48,6 +48,7 @@ import {
   checkDiskUsage,
   checkForTimeout,
   checkGitHubVersionInRange,
+  checkSipEnablement,
   codeQlVersionAtLeast,
   DEFAULT_DEBUG_ARTIFACT_NAME,
   DEFAULT_DEBUG_DATABASE_NAME,
@@ -56,7 +57,6 @@ import {
   getThreadsFlagValue,
   initializeEnvironment,
   isHostedRunner,
-  isSipEnabled,
   ConfigurationError,
   wrapError,
   checkActionVersion,
@@ -555,7 +555,7 @@ async function run() {
       !(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
       process.platform === "darwin" &&
       (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
     ) {
       logger.warning(
         "CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",

diff --git a/src/util.ts b/src/util.ts
@@ -1021,7 +1021,7 @@ export async function checkDiskUsage(
     if (
       process.platform === "darwin" &&
       (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
     ) {
       return undefined;
     }
@@ -1113,11 +1113,20 @@ export function cloneObject<T>(obj: T): T {
   return JSON.parse(JSON.stringify(obj)) as T;
 }
 
-// For MacOS runners: runs `csrutil status` to determine whether System
-// Integrity Protection is enabled.
-export async function isSipEnabled(
+// The first time this function is called, it runs `csrutil status` to determine
+// whether System Integrity Protection is enabled; and saves the result in an
+// environment variable. Afterwards, simply return the value of the environment
+// variable.
+export async function checkSipEnablement(
   logger: Logger,
 ): Promise<boolean | undefined> {
+  if (
+    process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
+    ["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
+  ) {
+    return process.env[EnvVar.IS_SIP_ENABLED] === "true";
+  }
+
   try {
     const sipStatusOutput = await exec.getExecOutput("csrutil status");
     if (sipStatusOutput.exitCode === 0) {
@@ -1126,13 +1135,15 @@ export async function isSipEnabled(
           "System Integrity Protection status: enabled.",
         )
       ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
         return true;
       }
       if (
         sipStatusOutput.stdout.includes(
           "System Integrity Protection status: disabled.",
         )
       ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
         return false;
       }
     }