Only run check SIP enablement once in init step (#2441)

Co-authored-by: Henry Mercer <henrymercer@github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2024-08-23 09:17:22 -07:00 · 2024-08-23 09:17:22 -07:00 · 7e27807413
commit 7e27807413
parent fd5fa130e2
10 changed files with 46 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -6,7 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the

 ## [UNRELEASED]

-No user facing changes.
+- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)

 ## 3.26.4 - 21 Aug 2024

--- a/lib/environment.js
+++ b/lib/environment.js
@ -43,6 +43,11 @@ var EnvVar;
    EnvVar["HAS_WARNED_ABOUT_DISK_SPACE"] = "CODEQL_ACTION_HAS_WARNED_ABOUT_DISK_SPACE";
    /** Whether the init action has been run. */
    EnvVar["INIT_ACTION_HAS_RUN"] = "CODEQL_ACTION_INIT_HAS_RUN";
+    /**
+     * For MacOS. Result of `csrutil status` to determine whether System Integrity
+     * Protection is enabled.
+     */
+    EnvVar["IS_SIP_ENABLED"] = "CODEQL_ACTION_IS_SIP_ENABLED";
    /** UUID representing the current job run. */
    EnvVar["JOB_RUN_UUID"] = "JOB_RUN_UUID";
    /** Status for the entire job, submitted to the status report in `init-post` */
--- a/lib/environment.js.map
+++ b/lib/environment.js.map
@ -1 +1 @@
-{"version":3,"file":"environment.js","sourceRoot":"","sources":["../src/environment.ts"],"names":[],"mappings":";;;AAAA;;;;;GAKG;AACH,IAAY,MAqFX;AArFD,WAAY,MAAM;IAChB,2DAA2D;IAC3D,+FAAqF,CAAA;IAErF,6DAA6D;IAC7D,mGAAyF,CAAA;IAEzF;;;OAGG;IACH,4CAAkC,CAAA;IAElC,gEAAgE;IAChE,qEAA2D,CAAA;IAE3D;;;OAGG;IACH,yFAA+E,CAAA;IAE/E;;;OAGG;IACH,yEAA+D,CAAA;IAE/D,gFAAgF;IAChF,6DAAmD,CAAA;IAEnD;;;OAGG;IACH,uEAA6D,CAAA;IAE7D,gEAAgE;IAChE,mEAAyD,CAAA;IAEzD,kFAAkF;IAClF,mFAAyE,CAAA;IAEzE,4CAA4C;IAC5C,4DAAkD,CAAA;IAElD,6CAA6C;IAC7C,uCAA6B,CAAA;IAE7B,+EAA+E;IAC/E,iDAAuC,CAAA;IAEvC,mEAAyD,CAAA;IAEzD;;;OAGG;IACH,2FAAiF,CAAA;IAEjF,mFAAmF;IACnF,6FAAmF,CAAA;IAEnF,qFAAqF;IACrF,+CAAqC,CAAA;IAErC,mEAAyD,CAAA;IAEzD,kEAAkE;IAClE,2CAAiC,CAAA;IAEjC;;;;;;OAMG;IACH,4DAAkD,CAAA;IAElD;;;OAGG;IACH,wDAA8C,CAAA;AAChD,CAAC,EArFW,MAAM,sBAAN,MAAM,QAqFjB"}
+{"version":3,"file":"environment.js","sourceRoot":"","sources":["../src/environment.ts"],"names":[],"mappings":";;;AAAA;;;;;GAKG;AACH,IAAY,MA2FX;AA3FD,WAAY,MAAM;IAChB,2DAA2D;IAC3D,+FAAqF,CAAA;IAErF,6DAA6D;IAC7D,mGAAyF,CAAA;IAEzF;;;OAGG;IACH,4CAAkC,CAAA;IAElC,gEAAgE;IAChE,qEAA2D,CAAA;IAE3D;;;OAGG;IACH,yFAA+E,CAAA;IAE/E;;;OAGG;IACH,yEAA+D,CAAA;IAE/D,gFAAgF;IAChF,6DAAmD,CAAA;IAEnD;;;OAGG;IACH,uEAA6D,CAAA;IAE7D,gEAAgE;IAChE,mEAAyD,CAAA;IAEzD,kFAAkF;IAClF,mFAAyE,CAAA;IAEzE,4CAA4C;IAC5C,4DAAkD,CAAA;IAElD;;;OAGG;IACH,yDAA+C,CAAA;IAE/C,6CAA6C;IAC7C,uCAA6B,CAAA;IAE7B,+EAA+E;IAC/E,iDAAuC,CAAA;IAEvC,mEAAyD,CAAA;IAEzD;;;OAGG;IACH,2FAAiF,CAAA;IAEjF,mFAAmF;IACnF,6FAAmF,CAAA;IAEnF,qFAAqF;IACrF,+CAAqC,CAAA;IAErC,mEAAyD,CAAA;IAEzD,kEAAkE;IAClE,2CAAiC,CAAA;IAEjC;;;;;;OAMG;IACH,4DAAkD,CAAA;IAElD;;;OAGG;IACH,wDAA8C,CAAA;AAChD,CAAC,EA3FW,MAAM,sBAAN,MAAM,QA2FjB"}
--- a/lib/init-action.js
+++ b/lib/init-action.js
@ -329,7 +329,7 @@ async function run() {
        if (!(await (0, util_1.codeQlVersionAtLeast)(codeql, "2.15.1")) &&
            process.platform === "darwin" &&
            (process.arch === "arm" || process.arch === "arm64") &&
-            !(await (0, util_1.isSipEnabled)(logger))) {
+            !(await (0, util_1.checkSipEnablement)(logger))) {
            logger.warning("CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.");
        }
        // From 2.16.0 the default for the python extractor is to not perform any
--- a/lib/init-action.js.map
+++ b/lib/init-action.js.map
--- a/lib/util.js
+++ b/lib/util.js
@ -67,7 +67,7 @@ exports.prettyPrintPack = prettyPrintPack;
 exports.checkDiskUsage = checkDiskUsage;
 exports.checkActionVersion = checkActionVersion;
 exports.cloneObject = cloneObject;
-exports.isSipEnabled = isSipEnabled;
+exports.checkSipEnablement = checkSipEnablement;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@ -795,7 +795,7 @@ async function checkDiskUsage(logger) {
        // We avoid running the `df` binary under the hood for macOS ARM runners with SIP disabled.
        if (process.platform === "darwin" &&
            (process.arch === "arm" || process.arch === "arm64") &&
-            !(await isSipEnabled(logger))) {
+            !(await checkSipEnablement(logger))) {
            return undefined;
        }
        const diskUsage = await (0, check_disk_space_1.default)(getRequiredEnvParam("GITHUB_WORKSPACE"));
@ -868,16 +868,24 @@ var BuildMode;
 function cloneObject(obj) {
    return JSON.parse(JSON.stringify(obj));
 }
-// For MacOS runners: runs `csrutil status` to determine whether System
-// Integrity Protection is enabled.
-async function isSipEnabled(logger) {
+// The first time this function is called, it runs `csrutil status` to determine
+// whether System Integrity Protection is enabled; and saves the result in an
+// environment variable. Afterwards, simply return the value of the environment
+// variable.
+async function checkSipEnablement(logger) {
+    if (process.env[environment_1.EnvVar.IS_SIP_ENABLED] !== undefined &&
+        ["true", "false"].includes(process.env[environment_1.EnvVar.IS_SIP_ENABLED])) {
+        return process.env[environment_1.EnvVar.IS_SIP_ENABLED] === "true";
+    }
    try {
        const sipStatusOutput = await exec.getExecOutput("csrutil status");
        if (sipStatusOutput.exitCode === 0) {
            if (sipStatusOutput.stdout.includes("System Integrity Protection status: enabled.")) {
+                core.exportVariable(environment_1.EnvVar.IS_SIP_ENABLED, "true");
                return true;
            }
            if (sipStatusOutput.stdout.includes("System Integrity Protection status: disabled.")) {
+                core.exportVariable(environment_1.EnvVar.IS_SIP_ENABLED, "false");
                return false;
            }
        }
--- a/lib/util.js.map
+++ b/lib/util.js.map
--- a/src/environment.ts
+++ b/src/environment.ts
@ -50,6 +50,12 @@ export enum EnvVar {
  /** Whether the init action has been run. */
  INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",

+  /**
+   * For MacOS. Result of `csrutil status` to determine whether System Integrity
+   * Protection is enabled.
+   */
+  IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",
+
  /** UUID representing the current job run. */
  JOB_RUN_UUID = "JOB_RUN_UUID",

--- a/src/init-action.ts
+++ b/src/init-action.ts
@ -48,6 +48,7 @@ import {
  checkDiskUsage,
  checkForTimeout,
  checkGitHubVersionInRange,
+  checkSipEnablement,
  codeQlVersionAtLeast,
  DEFAULT_DEBUG_ARTIFACT_NAME,
  DEFAULT_DEBUG_DATABASE_NAME,
@ -56,7 +57,6 @@ import {
  getThreadsFlagValue,
  initializeEnvironment,
  isHostedRunner,
-  isSipEnabled,
  ConfigurationError,
  wrapError,
  checkActionVersion,
@ -555,7 +555,7 @@ async function run() {
      !(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
      process.platform === "darwin" &&
      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
    ) {
      logger.warning(
        "CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
--- a/src/util.ts
+++ b/src/util.ts
@ -1021,7 +1021,7 @@ export async function checkDiskUsage(
    if (
      process.platform === "darwin" &&
      (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
    ) {
      return undefined;
    }
@ -1113,11 +1113,20 @@ export function cloneObject<T>(obj: T): T {
  return JSON.parse(JSON.stringify(obj)) as T;
 }

-// For MacOS runners: runs `csrutil status` to determine whether System
-// Integrity Protection is enabled.
-export async function isSipEnabled(
+// The first time this function is called, it runs `csrutil status` to determine
+// whether System Integrity Protection is enabled; and saves the result in an
+// environment variable. Afterwards, simply return the value of the environment
+// variable.
+export async function checkSipEnablement(
  logger: Logger,
 ): Promise<boolean | undefined> {
+  if (
+    process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
+    ["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
+  ) {
+    return process.env[EnvVar.IS_SIP_ENABLED] === "true";
+  }
+
  try {
    const sipStatusOutput = await exec.getExecOutput("csrutil status");
    if (sipStatusOutput.exitCode === 0) {
@ -1126,6 +1135,7 @@ export async function isSipEnabled(
          "System Integrity Protection status: enabled.",
        )
      ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
        return true;
      }
      if (
@ -1133,6 +1143,7 @@ export async function isSipEnabled(
          "System Integrity Protection status: disabled.",
        )
      ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
        return false;
      }
    }