Merge branch 'main' into angelapwen/refactor-debug-artifacts-pr-check

.github/workflows/pr-checks.yml

@@ -10,17 +10,8 @@ on:
   workflow_dispatch:
 
 jobs:
-  lint-js:
-    name: Lint
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-
-    steps:
-      - uses: actions/checkout@v3
-      - name: Run Lint
-        run: npm run-script lint
-
   check-js:
+    name: Check JS
     runs-on: ubuntu-latest
     timeout-minutes: 45
 
@@ -30,7 +21,11 @@ jobs:
         node-types-version: [12.12, current]
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Lint
+        run: npm run-script lint
 
       - name: Update version of @types/node
         if: matrix.node-types-version != 'current'
@@ -414,7 +409,10 @@ jobs:
       - name: Build code
         shell: bash
         run: |
-          ../action/runner/dist/codeql-runner-macos autobuild
+          . codeql-runner/codeql-env.sh
+          CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')"
+          echo "$CODEQL_RUNNER"
+          $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild
 
       - name: Run analyze
         run: |

.github/workflows/python-deps.yml

@@ -7,6 +7,17 @@ on:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]
+    paths:
+      # Changes to this workflow.
+      - '.github/workflows/python-deps.yml'
+      # Changes to the Python package installation scripts and their tests.
+      - 'python-setup/**'
+      # Changes to the default CodeQL bundle version.
+      - '**/defaults.json'
+  schedule:
+    # Weekly on Monday.
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
 
 jobs:
   test-setup-python-scripts:

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 2.1.17 - 28 Jul 2022
+
 - Update default CodeQL bundle version to 2.10.1.  [#1143](https://github.com/github/codeql-action/pull/1143)
 
 ## 2.1.16 - 13 Jul 2022

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.17",
+  "version": "2.1.18",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/autobuild-action.yml

@@ -0,0 +1,28 @@
+name: "autobuild-action"
+description: "Tests that the C# autobuild action works"
+versions: ["latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: csharp
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/autobuild
+    env:
+      # Explicitly disable the CLR tracer.
+      COR_ENABLE_PROFILING: ""
+      COR_PROFILER: ""
+      COR_PROFILER_PATH_64: ""
+      CORECLR_ENABLE_PROFILING: ""
+      CORECLR_PROFILER: ""
+      CORECLR_PROFILER_PATH_64: ""
+  - uses: ./../action/analyze
+    env:
+      TEST_MODE: true
+  - name: Check database
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/codeql_databases"
+      if [[ ! -d csharp ]]; then
+        echo "Did not find a C# database"
+        exit 1
+      fi

src/codeql.ts

@@ -780,6 +780,20 @@ async function getCodeQLForCmd(
         "-Dmaven.wagon.http.pool=false",
       ].join(" ");
 
+      // On macOS, System Integrity Protection (SIP) typically interferes with
+      // CodeQL build tracing of protected binaries.
+      // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+      // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+      // points to a simple wrapper binary included with the CLI, and the extra layer of
+      // process indirection helps the tracer bypass SIP.
+
+      // The above SIP workaround is *not* needed here.
+      // At the `autobuild` step in the Actions workflow, we assume the `init` step
+      // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+      // into the environment of subsequent steps, to activate the tracer.
+      // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+      // the Actions runtime introduces its own workaround for SIP
+      // (https://github.com/actions/runner/pull/416).
       await runTool(autobuildCmd);
     },
     async extractScannedLanguage(