github
diff --git a/‎.github/workflows/__autobuild-action.yml
Lines changed: 72 additions & 0 deletions b/‎.github/workflows/__autobuild-action.yml
Lines changed: 72 additions & 0 deletions
diff --git a/‎.github/workflows/pr-checks.yml
Lines changed: 4 additions & 1 deletion b/‎.github/workflows/pr-checks.yml
Lines changed: 4 additions & 1 deletion
diff --git a/‎lib/codeql.js
Lines changed: 13 additions & 0 deletions b/‎lib/codeql.js
Lines changed: 13 additions & 0 deletions
diff --git a/‎lib/codeql.js.map
Lines changed: 1 addition & 1 deletion b/‎lib/codeql.js.map
Lines changed: 1 addition & 1 deletion
diff --git a/‎pr-checks/checks/autobuild-action.yml
Lines changed: 28 additions & 0 deletions b/‎pr-checks/checks/autobuild-action.yml
Lines changed: 28 additions & 0 deletions
diff --git a/‎src/codeql.ts
Lines changed: 14 additions & 0 deletions b/‎src/codeql.ts
Lines changed: 14 additions & 0 deletions
@@ -414,7 +414,10 @@ jobs:
       - name: Build code
         shell: bash
         run: |
-          ../action/runner/dist/codeql-runner-macos autobuild
+          . codeql-runner/codeql-env.sh
+          CODEQL_RUNNER="$(cat codeql-runner/codeql-env.json | jq -r '.CODEQL_RUNNER')"
+          echo "$CODEQL_RUNNER"
+          $CODEQL_RUNNER ../action/runner/dist/codeql-runner-macos autobuild
 
       - name: Run analyze
         run: |
 
@@ -0,0 +1,28 @@
+name: "autobuild-action"
+description: "Tests that the C# autobuild action works"
+versions: ["latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: csharp
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/autobuild
+    env:
+      # Explicitly disable the CLR tracer.
+      COR_ENABLE_PROFILING: ""
+      COR_PROFILER: ""
+      COR_PROFILER_PATH_64: ""
+      CORECLR_ENABLE_PROFILING: ""
+      CORECLR_PROFILER: ""
+      CORECLR_PROFILER_PATH_64: ""
+  - uses: ./../action/analyze
+    env:
+      TEST_MODE: true
+  - name: Check database
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/codeql_databases"
+      if [[ ! -d csharp ]]; then
+        echo "Did not find a C# database"
+        exit 1
+      fi
@@ -780,6 +780,20 @@ async function getCodeQLForCmd(
         "-Dmaven.wagon.http.pool=false",
       ].join(" ");
 
+      // On macOS, System Integrity Protection (SIP) typically interferes with
+      // CodeQL build tracing of protected binaries.
+      // The usual workaround is to prefix `$CODEQL_RUNNER` to build commands:
+      // `$CODEQL_RUNNER` (not to be confused with the deprecated CodeQL Runner tool)
+      // points to a simple wrapper binary included with the CLI, and the extra layer of
+      // process indirection helps the tracer bypass SIP.
+
+      // The above SIP workaround is *not* needed here.
+      // At the `autobuild` step in the Actions workflow, we assume the `init` step
+      // has successfully run, and will have exported `DYLD_INSERT_LIBRARIES`
+      // into the environment of subsequent steps, to activate the tracer.
+      // When `DYLD_INSERT_LIBRARIES` is set in the environment for a step,
+      // the Actions runtime introduces its own workaround for SIP
+      // (https://github.com/actions/runner/pull/416).
       await runTool(autobuildCmd);
     },
     async extractScannedLanguage(