Move CodeQL from Mac to Mac Legacy #2564
Conversation
Currently, CodeQL interferes with the signing of Mac builds
There was a problem hiding this comment.
Loogs good to me. The fact that removing CodeQL fixes the signing has already been proven here, so no need to re-test this now: https://github.com/emlynmac/jamulus/runs/5726251664?check_suite_focus=true
Just two suggestions for additional/extended comments.
For future reference, this is what the hang (before this PR) looked like in CI logs:
Log: Symlink exists, skipping: "/Users/runner/work/jamulus/jamulus/build/Jamulus.app/Contents/Frameworks/QtCore.framework/Versions/Current"
Log: Created configuration file: "/Users/runner/work/jamulus/jamulus/build/Jamulus.app/Contents/Resources/qt.conf"
Log: This file sets the plugin search path to "/Users/runner/work/jamulus/jamulus/build/Jamulus.app/Contents/PlugIns"
Log:
Log: Signing "/Users/runner/work/jamulus/jamulus/build/Jamulus.app" with identity "***"
Log: "codesign, enable hardened runtime, include secure timestamp" "/Users/runner/work/jamulus/jamulus/build/Jamulus.app/Contents/Frameworks/QtCore.framework/Versions/5/QtCore"
Error: The operation was canceled.
I believe that this is a sub-invocation of macdeployqt. I've not pin-pointed exactly which build sub-step breaks due to CodeQL. I suspected CodeQL's DYLD_INSERT_LIBRARIES override (via Workflow env variables), but disabling it for macdeployqt or for the various keysring setup commands (security ...) did not work when tested individually. Maybe both steps are affected (didn't test that in combination) or it's some other factor as well.
I'm just adding this here for future reference as well as all of that was solely discussed via Chat and not in an Issue. :/
| xcode_version: 12.1.1 | ||
|
|
||
| - config_name: MacOS Legacy (artifacts) | ||
| - config_name: MacOS Legacy (artifacts+CodeQL) |
There was a problem hiding this comment.
Maybe we can add an additional comment to reduce the chance that we accidentially remove Legacy at some point with no replacement for macOS CodeQL.
| - config_name: MacOS Legacy (artifacts+CodeQL) | |
| # Reminder: Once Legacy can be removed, be sure to add a dedicated job for CodeQL again. | |
| - config_name: MacOS Legacy (artifacts+CodeQL) |
| target_os: macos | ||
| # Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?): | ||
| building_on_os: macos-10.15 | ||
| base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh | ||
| run_codeql: true | ||
| # Disable CodeQL on mac as it interferes with signing the binaries |
There was a problem hiding this comment.
| # Disable CodeQL on mac as it interferes with signing the binaries | |
| # Disable CodeQL on mac as it interferes with signing the binaries (signing hangs) |
|
@softins can you add the suggestions + link to this PR too? |
Sorry, I didn't notice them before merging (I did it on the iPad app, which seems to hide a lot!). Maybe I'll merge them directly. |
…ussoftware#2564) Co-authored-by: Christian Hoffmann <christian@hoffie.info>
Autobuild: Extend comments about macOS signing vs. CodeQL (from #2564)
Short description of changes
Moved the CodeQL for Mac from the signed main build to the unsigned legacy build
CHANGELOG: Moved CodeQL from Mac to Mac Legacy to work around signing incompatibility.
Context: Fixes an issue?
Currently, CodeQL interferes with the signing of Mac builds. This separates the CodeQL change from #2563, leaving the latter just for the entitlements fix.
Does this change need documentation? What needs to be documented and how?
Probably not
Status of this Pull Request
Tested with a manual workflow run
What is missing until this pull request can be merged?
Ready to merge
Checklist