autobuild: Update tests for C# on macOS #1149
Conversation
Without this, the tracer will not be injected on MacOS, as we need the runner to circumvent SIP. Also add a test that tests the autobuild-action to exercise this code path.
| @@ -0,0 +1,20 @@ | |||
| name: "Autobuild " | |||
| description: "Tests that C# " | |||
There was a problem hiding this comment.
I think this line and the one above are incomplete.
There was a problem hiding this comment.
Yes, and the file name is wrong either.
|
I wonder why this change is necessary, and wouldn't workflows with custom build commands also need a similar tweak? The actions/runner already inserts an intermediate process, so CODEQL_RUNNER should not be needed. See also: actions/runner#416 |
Add the missing `$CODEQL_RUNNER` prefix to the autobuild command line. This intermediate process works around System Integrity Protection, allowing the tracer to start the C# extractor for the dotnet builds within the autobuild process. The test used to pass without this because the legacy CLR tracer bypassed SIP while dotnet 5 was used on the Actions virtual environment. Now that the virtual environment uses dotnet 6, the CLR tracer no longer works, and we need to explicitly work around SIP. This test will eventually be replaced by an internal integration test for the equivalent functionality in the CLI. For now, this change makes the test continue to pass.
adityasharad
changed the title
Ensure that this succeeds even if the legacy CLR tracer is not enabled. The combination of the regular tracer and the SIP workaround within Actions should be sufficient for this to pass.
We do not need to prefix `$CODEQL_RUNNER` here on macOS to bypass SIP, because we assume that the `init` step exported `DYLD_INSERT_LIBRARIES` into the environment, which activates the Actions workaround for SIP. See actions/runner#416.
adityasharad
force-pushed
the
criemen/runner-autobuilders
branch
from
675310b
to
b4ff463
Compare
This test workflow does not source the environment from the init step, so we need to manually read in the variable.
|
@aeisenberg failing test is fixed: https://github.com/github/codeql-action/runs/7547434836?check_suite_focus=true. I added an explicit step to source the tracing environment (apparently the Runner's autobuild command wasn't sufficiently loading the environment, or it was too late in the process tree). The failing check is a 503 in a test that I haven't touched; I say we ignore it and get this merged. |
|
Check is passing now. i'd say it is ok to merge. |
autobuildaction using C# on macOS. This should work under SIP as long as the tracer is set up correctly, thanks to Actions' own mechanism.Without the$CODEQL_RUNNERprefix, the tracer will not be injected on MacOS, as we need the runner to circumvent SIP.autobuildstep, which was failing. This test needs the$CODEQL_RUNNERprefix since the tracer is not yet active in the environment. The CLR tracer previously mitigated this problem, but no longer works with dotnet 6 in the virtual environment.After releasing this change, the required checks in the branch protection has to be updated.
Merge / deployment checklist