Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: github/codeql-action
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v3.26.4
Choose a base ref
...
head repository: github/codeql-action
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v3.26.5
Choose a head ref
  • 6 commits
  • 13 files changed
  • 3 contributors

Commits on Aug 21, 2024

  1. Update changelog and version after v3.26.4

    @github-actions
    github-actions[bot] committed Aug 21, 2024

    Verified

    This commit was signed with the committer’s verified signature.
    crazy-max CrazyMax
    GPG key ID: ADE44D8C9D44FBE4
    Verified
    Learn about vigilant mode
    Copy the full SHA
    b15a247 View commit details

  2. Update checked-in dependencies

    @github-actions
    github-actions[bot] committed Aug 21, 2024
    Copy the full SHA
    6f10eb0 View commit details

  3. Merge pull request #2438 from github/mergeback/v3.26.4-to-main-f0f3afee 

    Mergeback v3.26.4 refs/heads/releases/v3 into main
    @angelapwen
    angelapwen authored Aug 21, 2024
    Copy the full SHA
    fd5fa13 View commit details

Commits on Aug 23, 2024

  1. Only run check SIP enablement once in init step (#2441) 

    Co-authored-by: Henry Mercer <henrymercer@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    @angelapwen @henrymercer @github-actions
    3 people authored Aug 23, 2024
    Copy the full SHA
    7e27807 View commit details

  2. Update changelog for v3.26.5

    @github-actions
    github-actions[bot] committed Aug 23, 2024
    Copy the full SHA
    68cd1f9 View commit details

  3. Merge main into releases/v3 (#2444) 

    * Update changelog and version after v3.26.4

* Update checked-in dependencies

* Only run check SIP enablement once in `init` step (#2441)

Co-authored-by: Henry Mercer <henrymercer@github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

* Update changelog for v3.26.5

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Angela P Wen <angelapwen@github.com>
Co-authored-by: Henry Mercer <henrymercer@github.com>
    @angelapwen @github-actions @henrymercer
    3 people authored Aug 23, 2024
    Copy the full SHA
    2c779ab View commit details
Showing with 53 additions and 19 deletions.
  1. +4 −0 CHANGELOG.md
  2. +5 −0 lib/environment.js
  3. +1 −1 lib/environment.js.map
  4. +1 −1 lib/init-action.js
  5. +1 −1 lib/init-action.js.map
  6. +13 −5 lib/util.js
  7. +1 −1 lib/util.js.map
  8. +1 −1 node_modules/.package-lock.json
  9. +2 −2 package-lock.json
  10. +1 −1 package.json
  11. +6 −0 src/environment.ts
  12. +2 −2 src/init-action.ts
  13. +15 −4 src/util.ts
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Original file line number Diff line number Diff line change
@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

## 3.26.5 - 23 Aug 2024

- Fix an issue where the `csrutil` system call used for telemetry would fail on MacOS ARM machines with System Integrity Protection disabled. [#2441](https://github.com/github/codeql-action/pull/2441)

## 3.26.4 - 21 Aug 2024

- _Deprecation:_ The `add-snippets` input on the `analyze` Action is deprecated and will be removed in the first release in August 2025. [#2436](https://github.com/github/codeql-action/pull/2436)
5 changes: 5 additions & 0 deletions lib/environment.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/environment.js.map
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/init-action.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/init-action.js.map
View file

Large diffs are not rendered by default.

18 changes: 13 additions & 5 deletions lib/util.js
View file
2 changes: 1 addition & 1 deletion lib/util.js.map
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion node_modules/.package-lock.json
View file
4 changes: 2 additions & 2 deletions package-lock.json
View file
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "3.26.4",
"version": "3.26.5",
"private": true,
"description": "CodeQL action",
"scripts": {
6 changes: 6 additions & 0 deletions src/environment.ts
View file
Original file line number Diff line number Diff line change
@@ -50,6 +50,12 @@ export enum EnvVar {
/** Whether the init action has been run. */
INIT_ACTION_HAS_RUN = "CODEQL_ACTION_INIT_HAS_RUN",

/**
* For MacOS. Result of `csrutil status` to determine whether System Integrity
* Protection is enabled.
*/
IS_SIP_ENABLED = "CODEQL_ACTION_IS_SIP_ENABLED",

/** UUID representing the current job run. */
JOB_RUN_UUID = "JOB_RUN_UUID",

4 changes: 2 additions & 2 deletions src/init-action.ts
View file
Original file line number Diff line number Diff line change
@@ -48,6 +48,7 @@ import {
checkDiskUsage,
checkForTimeout,
checkGitHubVersionInRange,
checkSipEnablement,
codeQlVersionAtLeast,
DEFAULT_DEBUG_ARTIFACT_NAME,
DEFAULT_DEBUG_DATABASE_NAME,
@@ -56,7 +57,6 @@ import {
getThreadsFlagValue,
initializeEnvironment,
isHostedRunner,
isSipEnabled,
ConfigurationError,
wrapError,
checkActionVersion,
@@ -555,7 +555,7 @@ async function run() {
!(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
process.platform === "darwin" &&
(process.arch === "arm" || process.arch === "arm64") &&
!(await isSipEnabled(logger))
!(await checkSipEnablement(logger))
) {
logger.warning(
"CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
19 changes: 15 additions & 4 deletions src/util.ts
View file
Original file line number Diff line number Diff line change
@@ -1021,7 +1021,7 @@ export async function checkDiskUsage(
if (
process.platform === "darwin" &&
(process.arch === "arm" || process.arch === "arm64") &&
!(await isSipEnabled(logger))
!(await checkSipEnablement(logger))
) {
return undefined;
}
@@ -1113,11 +1113,20 @@ export function cloneObject<T>(obj: T): T {
return JSON.parse(JSON.stringify(obj)) as T;
}

// For MacOS runners: runs `csrutil status` to determine whether System
// Integrity Protection is enabled.
export async function isSipEnabled(
// The first time this function is called, it runs `csrutil status` to determine
// whether System Integrity Protection is enabled; and saves the result in an
// environment variable. Afterwards, simply return the value of the environment
// variable.
export async function checkSipEnablement(
logger: Logger,
): Promise<boolean | undefined> {
if (
process.env[EnvVar.IS_SIP_ENABLED] !== undefined &&
["true", "false"].includes(process.env[EnvVar.IS_SIP_ENABLED])
) {
return process.env[EnvVar.IS_SIP_ENABLED] === "true";
}

try {
const sipStatusOutput = await exec.getExecOutput("csrutil status");
if (sipStatusOutput.exitCode === 0) {
@@ -1126,13 +1135,15 @@ export async function isSipEnabled(
"System Integrity Protection status: enabled.",
)
) {
core.exportVariable(EnvVar.IS_SIP_ENABLED, "true");
return true;
}
if (
sipStatusOutput.stdout.includes(
"System Integrity Protection status: disabled.",
)
) {
core.exportVariable(EnvVar.IS_SIP_ENABLED, "false");
return false;
}
}