Log warning if SIP is disabled and CLI version is < 2.15.1 (#2261)

* PR Checks: use `macos-12` runners for CLI v. < 2.15.1 Prior to CLI v2.15.1, MacOS ARM runners were not supported by the build tracer. "macos-latest" is now an ARM runner, so we run these tests on the old CLIs on Intel runners instead. * Log a warning if SIP is disabled and CLI is < 2.15.1 * Add changenote for SIP-disabled support on old CLI versions * Set up Python 3.11 for all MacOS checks
2024-04-25 15:20:13 -07:00 · 2024-04-25 15:20:13 -07:00 · ac2f82a1ff
commit ac2f82a1ff
parent 0ad7791640
74 changed files with 251 additions and 136 deletions
--- a/src/init.ts
+++ b/src/init.ts
@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";

+import * as exec from "@actions/exec/lib/exec";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as safeWhich from "@chrisgavin/safe-which";

@ -140,3 +141,33 @@ export async function checkInstallPython311(
    ]).exec();
  }
 }
+
+// For MacOS runners: runs `csrutil status` to determine whether System
+// Integrity Protection is enabled.
+export async function isSipEnabled(logger): Promise<boolean | undefined> {
+  try {
+    const sipStatusOutput = await exec.getExecOutput("csrutil status");
+    if (sipStatusOutput.exitCode === 0) {
+      if (
+        sipStatusOutput.stdout.includes(
+          "System Integrity Protection status: enabled.",
+        )
+      ) {
+        return true;
+      }
+      if (
+        sipStatusOutput.stdout.includes(
+          "System Integrity Protection status: disabled.",
+        )
+      ) {
+        return false;
+      }
+    }
+    return undefined;
+  } catch (e) {
+    logger.warning(
+      `Failed to determine if System Integrity Protection was enabled: ${e}`,
+    );
+    return undefined;
+  }
+}