-
Notifications
You must be signed in to change notification settings - Fork 333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
autobuild: Update tests for C# on macOS #1149
Conversation
Without this, the tracer will not be injected on MacOS, as we need the runner to circumvent SIP. Also add a test that tests the autobuild-action to exercise this code path.
@@ -0,0 +1,20 @@ | |||
name: "Autobuild " | |||
description: "Tests that C# " |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this line and the one above are incomplete.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, and the file name is wrong either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Minor suggestions only.
I wonder why this change is necessary, and wouldn't workflows with custom build commands also need a similar tweak? The actions/runner already inserts an intermediate process, so CODEQL_RUNNER should not be needed. See also: actions/runner#416 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed separately, we do not need to introduce the CODEQL_RUNNER
prefix thanks to Actions' own protection mechanism, but we do want to keep the new PR check introduced here.
Add the missing `$CODEQL_RUNNER` prefix to the autobuild command line. This intermediate process works around System Integrity Protection, allowing the tracer to start the C# extractor for the dotnet builds within the autobuild process. The test used to pass without this because the legacy CLR tracer bypassed SIP while dotnet 5 was used on the Actions virtual environment. Now that the virtual environment uses dotnet 6, the CLR tracer no longer works, and we need to explicitly work around SIP. This test will eventually be replaced by an internal integration test for the equivalent functionality in the CLI. For now, this change makes the test continue to pass.
Ensure that this succeeds even if the legacy CLR tracer is not enabled. The combination of the regular tracer and the SIP workaround within Actions should be sufficient for this to pass.
We do not need to prefix `$CODEQL_RUNNER` here on macOS to bypass SIP, because we assume that the `init` step exported `DYLD_INSERT_LIBRARIES` into the environment, which activates the Actions workaround for SIP. See actions/runner#416.
675310b
to
b4ff463
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Clearer now.
This test workflow does not source the environment from the init step, so we need to manually read in the variable.
@aeisenberg failing test is fixed: https://github.com/github/codeql-action/runs/7547434836?check_suite_focus=true. I added an explicit step to source the tracing environment (apparently the Runner's autobuild command wasn't sufficiently loading the environment, or it was too late in the process tree). The failing check is a 503 in a test that I haven't touched; I say we ignore it and get this merged. |
Check is passing now. i'd say it is ok to merge. |
autobuild
action using C# on macOS. This should work under SIP as long as the tracer is set up correctly, thanks to Actions' own mechanism.Without the$CODEQL_RUNNER
prefix, the tracer will not be injected on MacOS, as we need the runner to circumvent SIP.autobuild
step, which was failing. This test needs the$CODEQL_RUNNER
prefix since the tracer is not yet active in the environment. The CLR tracer previously mitigated this problem, but no longer works with dotnet 6 in the virtual environment.After releasing this change, the required checks in the branch protection has to be updated.
Merge / deployment checklist