diff --git a/.github/workflows/cgo.yml b/.github/workflows/cgo.yml index a839f61f72f..3502037222b 100644 --- a/.github/workflows/cgo.yml +++ b/.github/workflows/cgo.yml @@ -1854,6 +1854,65 @@ jobs: Write-Host "Exit code: $scanExitCode" Write-Host "=======================" + # Write diagnostic info and scan output to a log file for artifact upload. + $logFile = Join-Path $env:RUNNER_TEMP "defender-scan-log.txt" + $mpStatusLines = if ($mpStatus) { + @( + "AntivirusEnabled: $($mpStatus.AntivirusEnabled)", + "RealTimeProtectionEnabled: $($mpStatus.RealTimeProtectionEnabled)", + "AntivirusSignatureVersion: $($mpStatus.AntivirusSignatureVersion)", + "AntivirusSignatureLastUpdated: $($mpStatus.AntivirusSignatureLastUpdated)", + "AMProductVersion: $($mpStatus.AMProductVersion)", + "AMEngineVersion: $($mpStatus.AMEngineVersion)", + "AMRunningMode: $($mpStatus.AMRunningMode)", + "IoavProtectionEnabled: $($mpStatus.IoavProtectionEnabled)" + ) + } else { + @("(Get-MpComputerStatus unavailable)") + } + $mpPrefLines = if ($mpPreference) { + @( + "ExclusionPath: $(@($mpPreference.ExclusionPath) -join '; ')", + "ExclusionExtension: $(@($mpPreference.ExclusionExtension) -join '; ')", + "ExclusionProcess: $(@($mpPreference.ExclusionProcess) -join '; ')", + "ExclusionIpAddress: $(@($mpPreference.ExclusionIpAddress) -join '; ')" + ) + } else { + @("(Get-MpPreference unavailable)") + } + $winDefendLines = if ($winDefendService) { + @( + "WinDefend service status: $($winDefendService.Status)", + "WinDefend service start: $($winDefendService.StartType)" + ) + } else { + @("(WinDefend service unavailable)") + } + $logContent = @( + "=== Microsoft Defender diagnostic info ===", + ($mpStatusLines -join "`n"), + ($mpPrefLines -join "`n"), + ($winDefendLines -join "`n"), + "MpCmdRun.exe path: $mpCmdRun", + "Workspace binary: $workspaceBinaryPath", + "Workspace size: $($stableBinaryItem.Length) bytes", + "Workspace SHA256: $workspaceBinaryHash", + "Binary to scan: $binaryPath", + "Binary size: $($scanBinaryItem.Length) bytes", + "Binary SHA256: $scanBinaryHash", + "==========================================", + "", + "=== MpCmdRun output ===", + $outputText, + "Exit code: $scanExitCode", + "=======================" + ) -join "`n" + try { + Set-Content -Path $logFile -Value $logContent -Encoding UTF8 + } catch { + Write-Host "Warning: could not write defender scan log file: $_" + } + # Exit code alone is not enough: explicitly parse output to confirm scan execution. $skipped = $output | Where-Object { $_ -imatch "\bwas skipped\b|\bcannot be scanned\b|\bnot performed\b|\b(?:file|scan).*\bexcluded\b" } $threatLines = $output | Where-Object { $_ -match "\bThreat\b" } @@ -1882,6 +1941,14 @@ jobs: Write-Host "✅ Microsoft Defender scan completed successfully for $binaryPath" + - name: Upload Defender scan logs + if: always() && runner.os == 'Windows' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: defender-scan-log-${{ github.run_id }}-${{ github.run_attempt }} + path: ${{ runner.temp }}/defender-scan-log.txt + retention-days: 7 + - name: Create test workflow shell: bash run: | diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 88986810e83..7791bb048ba 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -661,7 +661,8 @@ jobs: "required": true, "type": "string", "sanitize": true, - "maxLength": 65000 + "maxLength": 65000, + "minLength": 20 }, "operation": { "required": true,