Only run check SIP enablement once in init step (#2441)

Co-authored-by: Henry Mercer <henrymercer@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -6,7 +6,7 @@ Note that the only difference between `v2` and `v3` of the CodeQL Action is the
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)
 
 ## 3.26.4 - 21 Aug 2024
 

src/environment.ts

@@ -50,6 +50,12 @@ export enum EnvVar {
   /** Whether the init action has been run. */
   INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",
 
+  /**
+   * For MacOS. Result of `csrutil status` to determine whether System Integrity
+   * Protection is enabled.
+   */
+  IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",
+
   /** UUID representing the current job run. */
   JOB_RUN_UUID = "JOB_RUN_UUID",
 

src/init-action.ts

@@ -48,6 +48,7 @@ import {
   checkDiskUsage,
   checkForTimeout,
   checkGitHubVersionInRange,
+  checkSipEnablement,
   codeQlVersionAtLeast,
   DEFAULT_DEBUG_ARTIFACT_NAME,
   DEFAULT_DEBUG_DATABASE_NAME,
@@ -56,7 +57,6 @@ import {
   getThreadsFlagValue,
   initializeEnvironment,
   isHostedRunner,
-  isSipEnabled,
   ConfigurationError,
   wrapError,
   checkActionVersion,
@@ -555,7 +555,7 @@ async function run() {
       !(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
       process.platform === "darwin" &&
       (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
     ) {
       logger.warning(
         "CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",

src/util.ts

@@ -1021,7 +1021,7 @@ export async function checkDiskUsage(
     if (
       process.platform === "darwin" &&
       (process.arch === "arm" || process.arch === "arm64") &&
-      !(await isSipEnabled(logger))
+      !(await checkSipEnablement(logger))
     ) {
       return undefined;
     }
@@ -1113,11 +1113,20 @@ export function cloneObject<T>(obj: T): T {
   return JSON.parse(JSON.stringify(obj)) as T;
 }
 
-// For MacOS runners: runs `csrutil status` to determine whether System
-// Integrity Protection is enabled.
-export async function isSipEnabled(
+// The first time this function is called, it runs `csrutil status` to determine
+// whether System Integrity Protection is enabled; and saves the result in an
+// environment variable. Afterwards, simply return the value of the environment
+// variable.
+export async function checkSipEnablement(
   logger: Logger,
 ): Promise<boolean | undefined> {
+  if (
+    process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
+    ["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
+  ) {
+    return process.env[EnvVar.IS_SIP_ENABLED] === "true";
+  }
+
   try {
     const sipStatusOutput = await exec.getExecOutput("csrutil status");
     if (sipStatusOutput.exitCode === 0) {
@@ -1126,13 +1135,15 @@ export async function isSipEnabled(
           "System Integrity Protection status: enabled.",
         )
       ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
         return true;
       }
       if (
         sipStatusOutput.stdout.includes(
           "System Integrity Protection status: disabled.",
         )
       ) {
+        core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
         return false;
       }
     }