Log a warning if SIP is disabled and CLI is < 2.15.1

github · Apr 25, 2024 · ab00339 · ab00339
1 parent 366c5f9
commit ab00339
Show file tree

Hide file tree

Showing 6 changed files with 82 additions and 4 deletions.
diff --git a/lib/init-action.js b/lib/init-action.js
diff --git a/lib/init-action.js.map b/lib/init-action.js.map
diff --git a/lib/init.js b/lib/init.js
diff --git a/lib/init.js.map b/lib/init.js.map
diff --git a/src/init-action.ts b/src/init-action.ts
@@ -24,7 +24,13 @@ import {
 } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
-import { checkInstallPython311, initCodeQL, initConfig, runInit } from "./init";
+import {
+  checkInstallPython311,
+  initCodeQL,
+  initConfig,
+  isSipEnabled,
+  runInit,
+} from "./init";
 import { Language } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
@@ -467,6 +473,18 @@ async function run() {
       }
     }
 
+    // For CLI versions <2.15.1, build tracing caused errors in MacOS ARM machines with
+    // System Integrity Protection (SIP) disabled.
+    if (
+      !(await codeQlVersionAbove(codeql, "2.15.1")) &&
+      process.platform === "darwin" &&
+      !(await isSipEnabled(logger))
+    ) {
+      logger.warning(
+        "CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
+      );
+    }
+
     // From 2.16.0 the default for the python extractor is to not perform any
     // dependency extraction. For versions before that, you needed to set this flag to
     // enable this behavior (supported since 2.13.1).

diff --git a/src/init.ts b/src/init.ts
@@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";
 
+import * as exec from "@actions/exec/lib/exec";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as safeWhich from "@chrisgavin/safe-which";
 
@@ -140,3 +141,33 @@ export async function checkInstallPython311(
     ]).exec();
   }
 }
+
+// For MacOS runners: runs `csrutil status` to determine whether System
+// Integrity Protection is enabled.
+export async function isSipEnabled(logger): Promise<boolean | undefined> {
+  try {
+    const sipStatusOutput = await exec.getExecOutput("csrutil status");
+    if (sipStatusOutput.exitCode === 0) {
+      if (
+        sipStatusOutput.stdout.includes(
+          "System Integrity Protection status: enabled.",
+        )
+      ) {
+        return true;
+      }
+      if (
+        sipStatusOutput.stdout.includes(
+          "System Integrity Protection status: disabled.",
+        )
+      ) {
+        return false;
+      }
+    }
+    return undefined;
+  } catch (e) {
+    logger.warning(
+      `Failed to determine if System Integrity Protection was enabled: ${e}`,
+    );
+    return undefined;
+  }
+}