autobuild: Update tests for C# on macOS

.github/workflows/pr-checks.yml

@@ -414,7 +414,10 @@ jobs:
       - name: Build code
         shell: bash
         run: |
-          ../action/runner/dist/codeql-runner-macos autobuild
+          . codeql-runner/codeql-env.sh
+          CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')"
+          echo "$CODEQL_RUNNER"
+          $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild
 
       - name: Run analyze
         run: |

pr-checks/checks/autobuild-action.yml

@@ -0,0 +1,28 @@
+name: "autobuild-action"
+description: "Tests that the C# autobuild action works"
+versions: ["latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: csharp
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/autobuild
+    env:
+      # Explicitly disable the CLR tracer.
+      COR_ENABLE_PROFILING: ""
+      COR_PROFILER: ""
+      COR_PROFILER_PATH_64: ""
+      CORECLR_ENABLE_PROFILING: ""
+      CORECLR_PROFILER: ""
+      CORECLR_PROFILER_PATH_64: ""
+  - uses: ./../action/analyze
+    env:
+      TEST_MODE: true
+  - name: Check database
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/codeql_databases"
+      if [[ ! -d csharp ]]; then
+        echo "Did not find a C# database"
+        exit 1
+      fi

src/codeql.ts

@@ -780,6 +780,20 @@ async function getCodeQLForCmd(
         "-Dmaven.wagon.http.pool=false",
       ].join(" ");
 
+      // On macOS, System Integrity Protection (SIP) typically interferes with
+      // CodeQL build tracing of protected binaries.
+      // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+      // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+      // points to a simple wrapper binary included with the CLI, and the extra layer of
+      // process indirection helps the tracer bypass SIP.
+
+      // The above SIP workaround is *not* needed here.
+      // At the `autobuild` step in the Actions workflow, we assume the `init` step
+      // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+      // into the environment of subsequent steps, to activate the tracer.
+      // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+      // the Actions runtime introduces its own workaround for SIP
+      // (https://github.com/actions/runner/pull/416).
       await runTool(autobuildCmd);
     },
     async extractScannedLanguage(