Autobuild: Remove CODEQL_RUNNER workaround

We do not need to prefix `$CODEQL_RUNNER` here on macOS to bypass SIP,
because we assume that the `init` step exported `DYLD_INSERT_LIBRARIES`
into the environment, which activates the Actions workaround for SIP.
See https://github.com/actions/runner/pull/416.

lib/codeql.js

@@ -510,13 +510,20 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "-Dhttp.keepAlive=false",
                 "-Dmaven.wagon.http.pool=false",
             ].join(" ");
-            const runnerExe = process.env["CODEQL_RUNNER"];
-            if (runnerExe) {
-                await runTool(runnerExe, [autobuildCmd]);
-            }
-            else {
-                await runTool(autobuildCmd);
-            }
+            // On macOS, System Integrity Protection (SIP) typically interferes with
+            // CodeQL build tracing of protected binaries.
+            // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+            // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+            // points to a simple wrapper binary included with the CLI, and the extra layer of
+            // process indirection helps the tracer bypass SIP.
+            // The above SIP workaround is *not* needed here.
+            // At the `autobuild` step in the Actions workflow, we assume the `init` step
+            // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+            // into the environment of subsequent steps, to activate the tracer.
+            // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+            // the Actions runtime introduces its own workaround for SIP
+            // (https://github.com/actions/runner/pull/416).
+            await runTool(autobuildCmd);
         },
         async extractScannedLanguage(databasePath, language, featureFlags) {
             // Get extractor location

src/codeql.ts

@@ -780,12 +780,21 @@ async function getCodeQLForCmd(
         "-Dmaven.wagon.http.pool=false",
       ].join(" ");
 
-      const runnerExe = process.env["CODEQL_RUNNER"];
-      if (runnerExe) {
-        await runTool(runnerExe, [autobuildCmd]);
-      } else {
-        await runTool(autobuildCmd);
-      }
+      // On macOS, System Integrity Protection (SIP) typically interferes with
+      // CodeQL build tracing of protected binaries.
+      // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+      // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+      // points to a simple wrapper binary included with the CLI, and the extra layer of
+      // process indirection helps the tracer bypass SIP.
+
+      // The above SIP workaround is *not* needed here.
+      // At the `autobuild` step in the Actions workflow, we assume the `init` step
+      // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+      // into the environment of subsequent steps, to activate the tracer.
+      // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+      // the Actions runtime introduces its own workaround for SIP
+      // (https://github.com/actions/runner/pull/416).
+      await runTool(autobuildCmd);
     },
     async extractScannedLanguage(
       databasePath: string,