System Integrity Protection (SIP) disabled in macos-13

[scottvanta]

Description

Unlike macos-11 and macos-12 images which have SIP enabled, the macos-13 image has SIP disabled, making it less reflective of real-world usage when testing macOS software.

macos-11

+ sw_vers
ProductName:	macOS
ProductVersion:	11.7.8
BuildVersion:	20G1351
+ csrutil status
System Integrity Protection status: enabled.

macos-12

+ sw_vers
ProductName:	macOS
ProductVersion:	12.6.7
BuildVersion:	21G651
+ csrutil status
System Integrity Protection status: enabled.

macos-13

+ sw_vers
ProductName:		macOS
ProductVersion:		13.5
BuildVersion:		22G74
+ csrutil status
System Integrity Protection status: disabled.

Since SIP is not something that can be toggled from within a runner, I don't believe there is any possible workaround.

Platforms affected

• Azure DevOps
• GitHub Actions - Standard Runners
• GitHub Actions - Larger Runners

Runner images affected

• Ubuntu 20.04
• Ubuntu 22.04
• macOS 11
• macOS 12
• macOS 13
• Windows Server 2019
• Windows Server 2022

Image version and build link

Runner Image
Image: macos-13
Version: 20230821.3

Is it regression?

No

Expected behavior

SIP should be enabled, as in production macOS installs and other macos runner images

Actual behavior

SIP is disabled

Repro steps

• Create a job using the macos-13 runner
• Run csrutil status
• See that SIP is disabled

[Alexey-Ayupov]

Hello @scottvanta, macOS 13 is still in public beta, and we know about the SIP situation. Due to some architectural limitations, it may be possible that SIP will be disabled for macOS 13 even after GA.

This issue will be closed, if you would like to track this activity, please make a new discussion of such a topic.

[slonopotamus]

I want to mention that certain amount of users wants SIP to be disabled. See #650