Skip to content

Commit

Permalink
Autobuild: Expand comment on SIP workarounds
Browse files Browse the repository at this point in the history
  • Loading branch information
adityasharad committed Jul 25, 2022
1 parent b4fddcb commit 675310b
Showing 1 changed file with 14 additions and 4 deletions.
18 changes: 14 additions & 4 deletions src/codeql.ts
Original file line number Diff line number Diff line change
Expand Up @@ -780,10 +780,20 @@ async function getCodeQLForCmd(
"-Dmaven.wagon.http.pool=false",
].join(" ");

// We do not need to prefix $CODEQL_RUNNER here on macOS to bypass SIP,
// because we assume that the init step exported DYLD_INSERT_LIBRARIES
// into the environment, which activates the Actions workaround for
// SIP. See https://github.com/actions/runner/pull/416.
// On macOS, System Integrity Protection (SIP) typically interferes with
// CodeQL build tracing of protected binaries.
// The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
// `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
// points to a simple wrapper binary included with the CLI, and the extra layer of
// process indirection helps the tracer bypass SIP.

// The above SIP workaround is *not* needed here.
// At the `autobuild` step in the Actions workflow, we assume the `init` step
// has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
// into the environment of subsequent steps, to activate the tracer.
// When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
// the Actions runtime introduces its own workaround for SIP
// (https://github.com/actions/runner/pull/416).
await runTool(autobuildCmd);
},
async extractScannedLanguage(
Expand Down

0 comments on commit 675310b

Please sign in to comment.