Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge main into releases/v3 #2444

Merged
merged 5 commits into from
Aug 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

## 3.26.5 - 23 Aug 2024

- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)

## 3.26.4 - 21 Aug 2024

- _Deprecation:_ The `add-snippets` input on the `analyze` Action is deprecated and will be removed in the first release in August 2025. [#2436](https://github.com/github/codeql-action/pull/2436)
Expand Down
5 changes: 5 additions & 0 deletions lib/environment.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/environment.js.map

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/init-action.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/init-action.js.map

Large diffs are not rendered by default.

18 changes: 13 additions & 5 deletions lib/util.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/util.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion node_modules/.package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "3.26.4",
"version": "3.26.5",
"private": true,
"description": "CodeQL action",
"scripts": {
Expand Down
6 changes: 6 additions & 0 deletions src/environment.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,12 @@ export enum EnvVar {
/** Whether the init action has been run. */
INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",

/**
* For MacOS. Result of `csrutil status` to determine whether System Integrity
* Protection is enabled.
*/
IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",

/** UUID representing the current job run. */
JOB_RUN_UUID = "JOB_RUN_UUID",

Expand Down
4 changes: 2 additions & 2 deletions src/init-action.ts
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ import {
checkDiskUsage,
checkForTimeout,
checkGitHubVersionInRange,
checkSipEnablement,
codeQlVersionAtLeast,
DEFAULT_DEBUG_ARTIFACT_NAME,
DEFAULT_DEBUG_DATABASE_NAME,
Expand All @@ -56,7 +57,6 @@ import {
getThreadsFlagValue,
initializeEnvironment,
isHostedRunner,
isSipEnabled,
ConfigurationError,
wrapError,
checkActionVersion,
Expand Down Expand Up @@ -555,7 +555,7 @@ async function run() {
!(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
process.platform === "darwin" &&
(process.arch === "arm" || process.arch === "arm64") &&
!(await isSipEnabled(logger))
!(await checkSipEnablement(logger))
) {
logger.warning(
"CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
Expand Down
19 changes: 15 additions & 4 deletions src/util.ts
Original file line number Diff line number Diff line change
Expand Up @@ -1021,7 +1021,7 @@ export async function checkDiskUsage(
if (
process.platform === "darwin" &&
(process.arch === "arm" || process.arch === "arm64") &&
!(await isSipEnabled(logger))
!(await checkSipEnablement(logger))
) {
return undefined;
}
Expand Down Expand Up @@ -1113,11 +1113,20 @@ export function cloneObject<T>(obj: T): T {
return JSON.parse(JSON.stringify(obj)) as T;
}

// For MacOS runners: runs `csrutil status` to determine whether System
// Integrity Protection is enabled.
export async function isSipEnabled(
// The first time this function is called, it runs `csrutil status` to determine
// whether System Integrity Protection is enabled; and saves the result in an
// environment variable. Afterwards, simply return the value of the environment
// variable.
export async function checkSipEnablement(
logger: Logger,
): Promise<boolean | undefined> {
if (
process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
) {
return process.env[EnvVar.IS_SIP_ENABLED] === "true";
}

try {
const sipStatusOutput = await exec.getExecOutput("csrutil status");
if (sipStatusOutput.exitCode === 0) {
Expand All @@ -1126,13 +1135,15 @@ export async function isSipEnabled(
"System Integrity Protection status: enabled.",
)
) {
core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
return true;
}
if (
sipStatusOutput.stdout.includes(
"System Integrity Protection status: disabled.",
)
) {
core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
return false;
}
}
Expand Down
Loading