Merge remote-tracking branch 'origin/main' into dbartol/config-file-telemetry

2024-08-23 16:59:59 -04:00 · 2024-08-23 16:59:59 -04:00 · 5033d8503b
commit 5033d8503b
parent e885d9d725 7e27807413
10 changed files with 46 additions and 16 deletions
--- a/src/environment.ts
+++ b/src/environment.ts
@ -50,6 +50,12 @@ export enum EnvVar {
  /** Whether the init action has been run. */
  INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",

+  /**
+   * For MacOS. Result of `csrutil status` to determine whether System Integrity
+   * Protection is enabled.
+   */
+  IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",
+
  /** UUID representing the current job run. */
  JOB_RUN_UUID = "JOB_RUN_UUID",

--- a/src/init-action.ts
+++ b/src/init-action.ts
@ -48,6 +48,7 @@ import {
  checkDiskUsage,
  checkForTimeout,
  checkGitHubVersionInRange,
+  checkSipEnablement,
  codeQlVersionAtLeast,
  DEFAULT_DEBUG_ARTIFACT_NAME,
  DEFAULT_DEBUG_DATABASE_NAME,
@ -56,7 +57,6 @@ import {
  getThreadsFlagValue,
  initializeEnvironment,
  isHostedRunner,
-  isSipEnabled,
  ConfigurationError,
  wrapError,
  checkActionVersion,
@ -561,7 +561,7 @@ async function run() {
      !(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
      process.platform === "darwin" &&
      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
    ) {
      logger.warning(
        "CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
--- a/src/util.ts
+++ b/src/util.ts
@ -1021,7 +1021,7 @@ export async function checkDiskUsage(
    if (
      process.platform === "darwin" &&
      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
    ) {
      return undefined;
    }
@ -1113,11 +1113,20 @@ export function cloneObject<T>(obj: T): T {
  return JSON.parse(JSON.stringify(obj)) as T;
 }

-// For MacOS runners: runs `csrutil status` to determine whether System
-// Integrity Protection is enabled.
-export async function isSipEnabled(
+// The first time this function is called, it runs `csrutil status` to determine
+// whether System Integrity Protection is enabled; and saves the result in an
+// environment variable. Afterwards, simply return the value of the environment
+// variable.
+export async function checkSipEnablement(
  logger: Logger,
 ): Promise<boolean | undefined> {
+  if (
+    process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
+    ["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
+  ) {
+    return process.env[EnvVar.IS_SIP_ENABLED] === "true";
+  }
+
  try {
    const sipStatusOutput = await exec.getExecOutput("csrutil status");
    if (sipStatusOutput.exitCode === 0) {
@ -1126,6 +1135,7 @@ export async function isSipEnabled(
          "System Integrity Protection status: enabled.",
        )
      ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
        return true;
      }
      if (
@ -1133,6 +1143,7 @@ export async function isSipEnabled(
          "System Integrity Protection status: disabled.",
        )
      ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
        return false;
      }
    }