8000 Log warning if SIP is disabled and CLI version is < 2.15.1 by angelapwen · Pull Request #2261 · github/codeql-action · GitHub
[go: up one dir, main page]
Skip to content

Log warning if SIP is disabled and CLI version is < 2.15.1 #2261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
Apr 25, 2024
Merged

Log warning if SIP is disabled and CLI version is < 2.15.1 #2261

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
366c5f9
PR Checks: use `macos-12` runners for CLI v. < 2.15.1
angelapwen Apr 25, 2024
ab00339
Log a warning if SIP is disabled and CLI is < 2.15.1
angelapwen Apr 25, 2024
db8b7f5
Add changenote for SIP-disabled support on old CLI versions
angelapwen Apr 25, 2024
b6e9f31
Disable `fail-fast` (temporary)
angelapwen Apr 25, 2024
362192c
Set up Python 3.11 for `macos-12` too
angelapwen Apr 25, 2024
48a0e15
Remove `fail-fast`
angelapwen Apr 25, 2024
67c4cdb
Fix missing string quotation
angelapwen Apr 25, 2024
d67aee1
Add `fail-fast: false` back again
angelapwen Apr 25, 2024
7a018e5
Explicitly use `setup-go` for all tests
angelapwen Apr 25, 2024
ee6cd5c
Stop setting `fail-fast` to `false`
angelapwen Apr 25, 2024
e10814d
Check SIP enablement for ARM architectures only
angelapwen Apr 25, 2024
c1eb43e
Set up Python 3.11 for all MacOS images
angelapwen Apr 25, 2024
492f7d6
Rename `codeQlVersionAbove to codeQlVersionAtLeast`
angelapwen Apr 25, 2024
7537a3d
Only check for SIP enablement on MacOS
angelapwen Apr 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Log a warning if SIP is disabled and CLI is < 2.15.1
  • Loading branch information
@angelapwen
angelapwen committed Apr 25, 2024
commit ab003392fe87d5c1894a3c90354e6225ab301436
7 changes: 7 additions & 0 deletions lib/init-action.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/init-action.js.map
View file
Open in desktop

Large diffs are not rendered by default.

24 changes: 23 additions & 1 deletion lib/init.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/init.js.map
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

20 changes: 19 additions & 1 deletion src/init-action.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,13 @@ import {
} from "./diagnostics";
import { EnvVar } from "./environment";
import { Feature, Features } from "./feature-flags";
import { checkInstallPython311, initCodeQL, initConfig, runInit } from "./init";
import {
checkInstallPython311,
initCodeQL,
initConfig,
isSipEnabled,
runInit,
} from "./init";
import { Language } from "./languages";
import { getActionsLogger, Logger } from "./logging";
import { parseRepositoryNwo } from "./repository";
Expand Down Expand Up @@ -467,6 +473,18 @@ async function run() {
}
}

// For CLI versions <2.15.1, build tracing caused errors in MacOS ARM machines with
// System Integrity Protection (SIP) disabled.
if (
!(await codeQlVersionAbove(codeql, "2.15.1")) &&
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor, separate: I had to go look at the definition to remind myself whether this was > or >=. Perhaps we should rename it codeQlVersionAtLeast or similar.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I always double check that it's using gte too. I've made the change

process.platform === "darwin" &&
!(await isSipEnabled(logger))
) {
logger.warning(
"CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning mentions ARM, but you're not checking process.arch.
Either we can change the warning to say macOS in general with SIP disabled is not supported on <=2.15.0 (not strictly true, but I don't know if we fixed other relocation issues that would affect Intel),
or change the code above to check process.arch being arm or arm64.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes, good point 👍 will change it to process.arch as I believe that's more accurate to the problem we were looking at in 2.15.1.

);
}

// From 2.16.0 the default for the python extractor is to not perform any
// dependency extraction. For versions before that, you needed to set this flag to
// enable this behavior (supported since 2.13.1).
Expand Down
31 changes: 31 additions & 0 deletions src/init.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import * as fs from "fs";
import * as path from "path";

import * as exec from "@actions/exec/lib/exec";
import * as toolrunner from "@actions/exec/lib/toolrunner";
import * as safeWhich from "@chrisgavin/safe-which";

Expand Down Expand Up @@ -140,3 +141,33 @@ export async function checkInstallPython311(
]).exec();
}
}

// For MacOS runners: runs `csrutil status` to determine whether System
// Integrity Protection is enabled.
export async function isSipEnabled(logger): Promise<boolean | undefined> {
try {
const sipStatusOutput = await exec.getExecOutput("csrutil status");
if (sipStatusOutput.exitCode === 0) {
if (
sipStatusOutput.stdout.includes(
"System Integrity Protection status: enabled.",
)
) {
return true;
}
if (
sipStatusOutput.stdout.includes(
"System Integrity Protection status: disabled.",
)
) {
return false;
}
}
return undefined;
} catch (e) {
logger.warning(
`Failed to determine if System Integrity Protection was enabled: ${e}`,
);
return undefined;
}
}
0