robojerk/codeql-action

Log warning if SIP is disabled and CLI version is < 2.15.1 (#2261)

Browse source 
* PR Checks: use `macos-12` runners for CLI v. < 2.15.1

Prior to CLI v2.15.1, MacOS ARM runners were not supported by the build tracer. "macos-latest" is now an ARM runner, so we run these tests on the old CLIs on Intel runners instead.

* Log a warning if SIP is disabled and CLI is < 2.15.1

* Add changenote for SIP-disabled support on old CLI versions

* Set up Python 3.11 for all MacOS checks
This commit is contained in:
Angela P Wen 2024-04-25 15:20:13 -07:00 committed by GitHub
parent 0ad7791640
commit ac2f82a1ff
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
74 changed files with 251 additions and 136 deletions
Download patch file Download diff file Expand all files Collapse all files

24
lib/init.js generated
View file

@ -23,9 +23,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.checkInstallPython311 = exports.printPathFiltersWarning = exports.runInit = exports.initConfig = exports.initCodeQL = void 0;
exports.isSipEnabled = exports.checkInstallPython311 = exports.printPathFiltersWarning = exports.runInit = exports.initConfig = exports.initCodeQL = void 0;
const fs = __importStar(require("fs"));
const path = __importStar(require("path"));
const exec = __importStar(require("@actions/exec/lib/exec"));
const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
const safeWhich = __importStar(require("@chrisgavin/safe-which"));
const codeql_1 = require("./codeql");
@ -89,4 +90,25 @@ async function checkInstallPython311(languages, codeql) {
}
}
exports.checkInstallPython311 = checkInstallPython311;
// For MacOS runners: runs `csrutil status` to determine whether System
// Integrity Protection is enabled.
async function isSipEnabled(logger) {
try {
const sipStatusOutput = await exec.getExecOutput("csrutil status");
if (sipStatusOutput.exitCode === 0) {
if (sipStatusOutput.stdout.includes("System Integrity Protection status: enabled.")) {
return true;
}
if (sipStatusOutput.stdout.includes("System Integrity Protection status: disabled.")) {
return false;
}
}
return undefined;
}
catch (e) {
logger.warning(`Failed to determine if System Integrity Protection was enabled: ${e}`);
return undefined;
}
}
exports.isSipEnabled = isSipEnabled;
//# sourceMappingURL=init.js.map