Merge remote-tracking branch 'origin/main' into angelapwen/post-init-cleanup

lib/codeql.js

@@ -510,6 +510,19 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "-Dhttp.keepAlive=false",
                 "-Dmaven.wagon.http.pool=false",
             ].join(" ");
+            // On macOS, System Integrity Protection (SIP) typically interferes with
+            // CodeQL build tracing of protected binaries.
+            // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+            // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+            // points to a simple wrapper binary included with the CLI, and the extra layer of
+            // process indirection helps the tracer bypass SIP.
+            // The above SIP workaround is *not* needed here.
+            // At the `autobuild` step in the Actions workflow, we assume the `init` step
+            // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+            // into the environment of subsequent steps, to activate the tracer.
+            // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+            // the Actions runtime introduces its own workaround for SIP
+            // (https://github.com/actions/runner/pull/416).
             await runTool(autobuildCmd);
         },
         async extractScannedLanguage(databasePath, language, featureFlags) {

lib/defaults.json

@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20220714"
+    "bundleVersion": "codeql-bundle-20220728"
 }