Autobuild: Expand comment on SIP workarounds

github · Jul 25, 2022 · 675310b · 675310b
1 parent b4fddcb
commit 675310b
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/src/codeql.ts b/src/codeql.ts
@@ -780,10 +780,20 @@ async function getCodeQLForCmd(
         "-Dmaven.wagon.http.pool=false",
       ].join(" ");
 
-      // We do not need to prefix $CODEQL_RUNNER here on macOS to bypass SIP,
-      // because we assume that the init step exported DYLD_INSERT_LIBRARIES
-      // into the environment, which activates the Actions workaround for
-      // SIP. See https://github.com/actions/runner/pull/416.
+      // On macOS, System Integrity Protection (SIP) typically interferes with
+      // CodeQL build tracing of protected binaries.
+      // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+      // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+      // points to a simple wrapper binary included with the CLI, and the extra layer of
+      // process indirection helps the tracer bypass SIP.
+
+      // The above SIP workaround is *not* needed here.
+      // At the `autobuild` step in the Actions workflow, we assume the `init` step
+      // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+      // into the environment of subsequent steps, to activate the tracer.
+      // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+      // the Actions runtime introduces its own workaround for SIP
+      // (https://github.com/actions/runner/pull/416).
       await runTool(autobuildCmd);
     },
     async extractScannedLanguage(