Security issue on macOS Tahoe 26.2

[Vertexwahn]

I just updated my macOS to Tahoe 26.2 (Apple M4)

bazel build //... using rules_vulkan resulted in this error:

/...
INFO: Repository rules_vulkan++vulkan_sdk+vk_sdk instantiated at:
  <builtin>: in <toplevel>
Repository rule download_sdk defined at:
  /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan+/vulkan/private/download.bzl:159:31: in <toplevel>
INFO: repository @@rules_vulkan++vulkan_sdk+vk_sdk' used the following cache hits instead of downloading the corresponding file.
 * Hash '571db867d8736e402f6f674f26f17b339495d016f3b2afdbac23a3650475023f' for https://sdk.lunarg.com/sdk/download/1.4.328.1/mac/vulkansdk-macos-1.4.328.1.zip
If the definition of 'repository @@rules_vulkan++vulkan_sdk+vk_sdk' was updated, verify that the hashes were also updated.
ERROR: /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan+/vulkan/private/download.bzl:27:29: An error occurred during the fetch of repository 'rules_vulkan++vulkan_sdk+vk_sdk':
   Traceback (most recent call last):
        File "/private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan+/vulkan/private/download.bzl", line 151, column 23, in _download_impl
                _install_macos(ctx, urls, version, attrs)
        File "/private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan+/vulkan/private/download.bzl", line 27, column 29, in _install_macos
                ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error extracting /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan++vulkan_sdk+vk_sdk/installer/temp14827882599243988155/vulkansdk-macos-1.4.328.1.zip to /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan++vulkan_sdk+vk_sdk/installer/temp14827882599243988155: /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan++vulkan_sdk+vk_sdk/installer/vulkansdk-macOS-1.4.328.1.app (Operation not permitted)
ERROR: Analysis of target '//core/tests/third_party:fmt_test' failed; build aborted: java.io.IOException: Error extracting /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan++vulkan_sdk+vk_sdk/installer/temp14827882599243988155/vulkansdk-macos-1.4.328.1.zip to /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan++vulkan_sdk+vk_sdk/installer/temp14827882599243988155: /private/var/tmp/_bazel_vertexwahn/c5f64fdaf35c55b61a8fbc949c746d22/external/rules_vulkan++vulkan_sdk+vk_sdk/installer/vulkansdk-macOS-1.4.328.1.app (Operation not permitted)
INFO: Elapsed time: 0.890s, Critical Path: 0.49s
INFO: 1 process: 1 internal.
ERROR: Build did NOT complete successfully
FAILED: 
    Fetching ...les_go++go_sdk+go_sdk; Downloading and extracting Go toolchain
    Fetching https://dl.google.com/go/go1.25.3.darwin-arm64.tar.gz
    Fetching ...sdk+vk_sdk/installer; Extracting vulkansdk-macos-1.4.328.1.zip

Tested Bazel versions: 8.5.0, 8.4.0

Copilot claims:

 Bazel is failing when trying to extract the Vulkan SDK for macOS. The error is:

This is a macOS file system permission issue. The Vulkan SDK zip contains a .app bundle, and Bazel doesn't have permission to extract macOS application bundles due to security restrictions.

This seems quite new - did not have the issue before Tahoe 26.2 - on the previouse version it works without any problems.

Maybe I have to allow Bazel to download .app bundle files and there is nothing that can be fixed on the rules_vulkan side - but maybe we make a small entry to the Readme. Will observe this and once I have a fix I can extend the readme....

[Vertexwahn]

Update: Granting Full Disk Access on macOS solves the problem....

[mxpv]

Curious, how do you install Bazel?
I'm using bazelisk installed from brew, and I don't see anything like that (there is no full disk access entry either).

[Vertexwahn]

Using brew