Log warning if SIP is disabled and CLI version is < 2.15.1

[angelapwen]

The macos-latest image is now ARM rather than Intel, so we need to change some of our PR Checks. The build tracer on CLI versions before v2.15.1 did not support the ARM machines where System Integrity Protection was disabled, which now includes macos-latest.

This change:

• uses macos-12 Intel runners for any checks where the CLI version is below v2.15.1
• logs a warning if SIP is disabled, and if the CLI version is below v2.15.1

Separately, the macos-latest image no longer supports Go on the path by default, so this PR adds setup-go to all PR checks analyzing Go.

I've updated the Required PR checks on main to include the new ones, but have not updated v2 or v3 yet.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Confirm the readme has been updated if necessary.
• Confirm the changelog has been updated if necessary.

[adityasharad]

Thanks - generally looks good but a couple of minor suggestions.

[adityasharad]

The warning mentions ARM, but you're not checking process.arch.
Either we can change the warning to say macOS in general with SIP disabled is not supported on <=2.15.0 (not strictly true, but I don't know if we fixed other relocation issues that would affect Intel),
or change the code above to check process.arch being arm or arm64.

[angelapwen]

Ah yes, good point 👍 will change it to process.arch as I believe that's more accurate to the problem we were looking at in 2.15.1.

[adityasharad]

Minor, separate: I had to go look at the definition to remind myself whether this was > or >=. Perhaps we should rename it codeQlVersionAtLeast or similar.

[angelapwen]

Good point, I always double check that it's using gte too. I've made the change

[adityasharad]

Can we simplify this to just runner.os == 'macOS'?

[angelapwen]

Yep, done!

[adityasharad]

This line needs to remain!

[angelapwen]

Oh yes, Linux exists 😆