Attempt to prevent false positive detections by Windows Defender #16
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Windows | |
on: | |
push: | |
tags: | |
- 'v*' | |
branches: | |
- main | |
paths: | |
- '.github/workflows/windows.yml' | |
- '**.go' | |
- 'go.*' | |
- '.goreleaser.yaml' | |
- 'config' | |
pull_request: | |
paths: | |
- '.github/workflows/windows.yml' | |
- '**.go' | |
- 'go.*' | |
- '.goreleaser.yaml' | |
- 'config' | |
workflow_dispatch: | |
permissions: | |
contents: write | |
pull-requests: write | |
checks: read # For private repositories | |
actions: read # For private repositories | |
defaults: | |
run: | |
shell: pwsh | |
jobs: | |
setup: | |
runs-on: windows-2022 | |
steps: | |
- name: Prepare Windows Defender | |
# https://github.com/actions/runner-images/issues/855#issuecomment-626692949 may help to understand | |
run: | | |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures | |
# Remove cache: https://news.mynavi.jp/article/win10tips-410/ | |
# But comment out to inspect, this may never enable again... | |
# & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures | |
# Enable cloud-based protection | |
Set-MpPreference -MAPSReporting Advanced | |
# Enable automatic sample submission | |
Set-MpPreference -SubmitSamplesConsent SendSafeSamples | |
Set-Service -Name wuauserv -StartupType Manual -Status Running | |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate | |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures | |
# Stop CI if no dynamic signatures are enabled | |
Get-MpComputerStatus | |
if (!((& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures) | Select-String -Pattern "SignatureSet ID:")) { | |
Exit 42 | |
} | |
- uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: 'go.mod' | |
cache-dependency-path: 'go.sum' | |
- name: Install goreleaser | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
install-only: true | |
version: 'v1.24.0' # selfup { "regex": "\\d[^']+", "script": "goreleaser --version | grep 'GitVersion:' | tr -s ' ' | cut -d ' ' -f 2" } | |
- name: Make sure there are what files before build | |
run: Get-ChildItem | |
- name: Build winit-* | |
run: goreleaser build --snapshot --clean | |
- name: Make sure there are what files after build | |
run: | | |
Get-ChildItem | |
Get-ChildItem -Recurse .\dist | |
# https://github.com/goreleaser/goreleaser-action/tree/5fdedb94abba051217030cc86d4523cf3f02243d#upload-artifacts | |
- name: Upload artifact | |
id: upload-artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: winit | |
path: dist/**/*.exe | |
- name: Download the artifact to make sure we can actually use it | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" ` | |
repos/${{ github.repository }}/actions/artifacts/${{ steps.upload-artifact.outputs.artifact-id }}/zip > distributed-artifact.zip | |
- name: Check Windows Defender does not false positive detect the product | |
run: | | |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\dist" | |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\distributed-artifact.zip" | |
Start-MpScan -ScanPath "$pwd" | |
Get-MpThreat | |
Get-MpThreatDetection | |
- name: Collect Defender log | |
run: | | |
New-Item -Force -ItemType "Directory" -Path MpCmdRun-logs | |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles -SupportLogLocation "$(pwd)\MpCmdRun-logs" | |
- name: Upload artifact | |
id: upload-defender-log | |
uses: actions/upload-artifact@v4 | |
with: | |
name: MpCmdRun-logs | |
path: MpCmdRun-logs/** | |
# Do not write depending winget and WSL2 logcs for now | |
# https://github.com/microsoft/winget-cli/issues/3872 | |
# https://github.com/actions/runner-images/issues/910 | |
# https://github.com/microsoft/winget-cli/blob/b07d2ebb7d865f95320e2bc708a2d1efb2152c5a/README.md#L14 | |
- name: Rebel against unacceptable default | |
run: | | |
.\dist\winit-reg_windows_amd64_v1\winit-reg.exe list | |
.\dist\winit-reg_windows_amd64_v1\winit-reg.exe run --all | |
# This logics can be finished even if tools are not installed | |
- name: Put config files around terminals | |
run: | | |
.\dist\winit-conf_windows_amd64_v1\winit-conf.exe -pwsh_profile_path "$PROFILE" | |
- name: Make sure it correctly copied some config files | |
run: | | |
Get-Content "$PROFILE" | |
- name: Release the product | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
goreleaser release --clean |