robojerk/codeql-action

Only run check SIP enablement once in init step (#2441)

Browse source 
Co-authored-by: Henry Mercer <henrymercer@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This commit is contained in:
Angela P Wen 2024-08-23 09:17:22 -07:00 committed by GitHub
parent fd5fa130e2
commit 7e27807413
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 46 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

18
lib/util.js generated
View file

@ -67,7 +67,7 @@ exports.prettyPrintPack = prettyPrintPack;
exports.checkDiskUsage = checkDiskUsage;
exports.checkActionVersion = checkActionVersion;
exports.cloneObject = cloneObject;
exports.isSipEnabled = isSipEnabled;
exports.checkSipEnablement = checkSipEnablement;
const fs = __importStar(require("fs"));
const os = __importStar(require("os"));
const path = __importStar(require("path"));
@ -795,7 +795,7 @@ async function checkDiskUsage(logger) {
// We avoid running the `df` binary under the hood for macOS ARM runners with SIP disabled.
if (process.platform === "darwin" &&
(process.arch === "arm" || process.arch === "arm64") &&
!(await isSipEnabled(logger))) {
!(await checkSipEnablement(logger))) {
return undefined;
}
const diskUsage = await (0, check_disk_space_1.default)(getRequiredEnvParam("GITHUB_WORKSPACE"));
@ -868,16 +868,24 @@ var BuildMode;
function cloneObject(obj) {
return JSON.parse(JSON.stringify(obj));
}
// For MacOS runners: runs `csrutil status` to determine whether System
// Integrity Protection is enabled.
async function isSipEnabled(logger) {
// The first time this function is called, it runs `csrutil status` to determine
// whether System Integrity Protection is enabled; and saves the result in an
// environment variable. Afterwards, simply return the value of the environment
// variable.
async function checkSipEnablement(logger) {
if (process.env[environment_1.EnvVar.IS_SIP_ENABLED] !== undefined &&
["true", "false"].includes(process.env[environment_1.EnvVar.IS_SIP_ENABLED])) {
return process.env[environment_1.EnvVar.IS_SIP_ENABLED] === "true";
}
try {
const sipStatusOutput = await exec.getExecOutput("csrutil status");
if (sipStatusOutput.exitCode === 0) {
if (sipStatusOutput.stdout.includes("System Integrity Protection status: enabled.")) {
core.exportVariable(environment_1.EnvVar.IS_SIP_ENABLED, "true");
return true;
}
if (sipStatusOutput.stdout.includes("System Integrity Protection status: disabled.")) {
core.exportVariable(environment_1.EnvVar.IS_SIP_ENABLED, "false");
return false;
}
}