From 7009c6e492524c4fcb5a93cf0d253b7cee194499 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 03:05:20 +0000 Subject: [PATCH 1/3] Add defender scan log artifact to cross-platform-build Windows job Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/release.lock.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 88986810e83..7791bb048ba 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -661,7 +661,8 @@ jobs: "required": true, "type": "string", "sanitize": true, - "maxLength": 65000 + "maxLength": 65000, + "minLength": 20 }, "operation": { "required": true, From 4fd568f1ff3fe90977c6ba81f6b3dd20c6c941a3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 03:09:46 +0000 Subject: [PATCH 2/3] Add defender scan log artifact to cross-platform-build Windows job Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/cgo.yml | 62 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) diff --git a/.github/workflows/cgo.yml b/.github/workflows/cgo.yml index a839f61f72f..2af9ee2e55d 100644 --- a/.github/workflows/cgo.yml +++ b/.github/workflows/cgo.yml @@ -1854,6 +1854,60 @@ jobs: Write-Host "Exit code: $scanExitCode" Write-Host "=======================" + # Write diagnostic info and scan output to a log file for artifact upload. + $logFile = Join-Path $env:RUNNER_TEMP "defender-scan-log.txt" + $mpStatusLines = if ($mpStatus) { + @( + "AntivirusEnabled: $($mpStatus.AntivirusEnabled)", + "RealTimeProtectionEnabled: $($mpStatus.RealTimeProtectionEnabled)", + "AntivirusSignatureVersion: $($mpStatus.AntivirusSignatureVersion)", + "AntivirusSignatureLastUpdated: $($mpStatus.AntivirusSignatureLastUpdated)", + "AMProductVersion: $($mpStatus.AMProductVersion)", + "AMEngineVersion: $($mpStatus.AMEngineVersion)", + "AMRunningMode: $($mpStatus.AMRunningMode)", + "IoavProtectionEnabled: $($mpStatus.IoavProtectionEnabled)" + ) + } else { + @("(Get-MpComputerStatus unavailable)") + } + $mpPrefLines = if ($mpPreference) { + @( + "ExclusionPath: $(@($mpPreference.ExclusionPath) -join '; ')", + "ExclusionExtension: $(@($mpPreference.ExclusionExtension) -join '; ')", + "ExclusionProcess: $(@($mpPreference.ExclusionProcess) -join '; ')", + "ExclusionIpAddress: $(@($mpPreference.ExclusionIpAddress) -join '; ')" + ) + } else { + @("(Get-MpPreference unavailable)") + } + $winDefendLines = if ($winDefendService) { + @( + "WinDefend service status: $($winDefendService.Status)", + "WinDefend service start: $($winDefendService.StartType)" + ) + } else { + @("(WinDefend service unavailable)") + } + @( + "=== Microsoft Defender diagnostic info ===", + ($mpStatusLines -join "`n"), + ($mpPrefLines -join "`n"), + ($winDefendLines -join "`n"), + "MpCmdRun.exe path: $mpCmdRun", + "Workspace binary: $workspaceBinaryPath", + "Workspace size: $($stableBinaryItem.Length) bytes", + "Workspace SHA256: $workspaceBinaryHash", + "Binary to scan: $binaryPath", + "Binary size: $($scanBinaryItem.Length) bytes", + "Binary SHA256: $scanBinaryHash", + "==========================================", + "", + "=== MpCmdRun output ===", + $outputText, + "Exit code: $scanExitCode", + "=======================" + ) -join "`n" | Set-Content -Path $logFile -Encoding UTF8 + # Exit code alone is not enough: explicitly parse output to confirm scan execution. $skipped = $output | Where-Object { $_ -imatch "\bwas skipped\b|\bcannot be scanned\b|\bnot performed\b|\b(?:file|scan).*\bexcluded\b" } $threatLines = $output | Where-Object { $_ -match "\bThreat\b" } @@ -1882,6 +1936,14 @@ jobs: Write-Host "✅ Microsoft Defender scan completed successfully for $binaryPath" + - name: Upload Defender scan logs + if: always() && runner.os == 'Windows' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: defender-scan-log-${{ github.run_id }}-${{ github.run_attempt }} + path: ${{ runner.temp }}/defender-scan-log.txt + retention-days: 7 + - name: Create test workflow shell: bash run: | From a85a8d33661694e50152e14507eefd3343e14c7e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 17 Jun 2026 03:12:23 +0000 Subject: [PATCH 3/3] Address review feedback: remove padding alignment, wrap Set-Content in try-catch Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/cgo.yml | 41 ++++++++++++++++++++++----------------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/cgo.yml b/.github/workflows/cgo.yml index 2af9ee2e55d..3502037222b 100644 --- a/.github/workflows/cgo.yml +++ b/.github/workflows/cgo.yml @@ -1858,23 +1858,23 @@ jobs: $logFile = Join-Path $env:RUNNER_TEMP "defender-scan-log.txt" $mpStatusLines = if ($mpStatus) { @( - "AntivirusEnabled: $($mpStatus.AntivirusEnabled)", - "RealTimeProtectionEnabled: $($mpStatus.RealTimeProtectionEnabled)", - "AntivirusSignatureVersion: $($mpStatus.AntivirusSignatureVersion)", + "AntivirusEnabled: $($mpStatus.AntivirusEnabled)", + "RealTimeProtectionEnabled: $($mpStatus.RealTimeProtectionEnabled)", + "AntivirusSignatureVersion: $($mpStatus.AntivirusSignatureVersion)", "AntivirusSignatureLastUpdated: $($mpStatus.AntivirusSignatureLastUpdated)", - "AMProductVersion: $($mpStatus.AMProductVersion)", - "AMEngineVersion: $($mpStatus.AMEngineVersion)", - "AMRunningMode: $($mpStatus.AMRunningMode)", - "IoavProtectionEnabled: $($mpStatus.IoavProtectionEnabled)" + "AMProductVersion: $($mpStatus.AMProductVersion)", + "AMEngineVersion: $($mpStatus.AMEngineVersion)", + "AMRunningMode: $($mpStatus.AMRunningMode)", + "IoavProtectionEnabled: $($mpStatus.IoavProtectionEnabled)" ) } else { @("(Get-MpComputerStatus unavailable)") } $mpPrefLines = if ($mpPreference) { @( - "ExclusionPath: $(@($mpPreference.ExclusionPath) -join '; ')", + "ExclusionPath: $(@($mpPreference.ExclusionPath) -join '; ')", "ExclusionExtension: $(@($mpPreference.ExclusionExtension) -join '; ')", - "ExclusionProcess: $(@($mpPreference.ExclusionProcess) -join '; ')", + "ExclusionProcess: $(@($mpPreference.ExclusionProcess) -join '; ')", "ExclusionIpAddress: $(@($mpPreference.ExclusionIpAddress) -join '; ')" ) } else { @@ -1883,30 +1883,35 @@ jobs: $winDefendLines = if ($winDefendService) { @( "WinDefend service status: $($winDefendService.Status)", - "WinDefend service start: $($winDefendService.StartType)" + "WinDefend service start: $($winDefendService.StartType)" ) } else { @("(WinDefend service unavailable)") } - @( + $logContent = @( "=== Microsoft Defender diagnostic info ===", ($mpStatusLines -join "`n"), ($mpPrefLines -join "`n"), ($winDefendLines -join "`n"), "MpCmdRun.exe path: $mpCmdRun", - "Workspace binary: $workspaceBinaryPath", - "Workspace size: $($stableBinaryItem.Length) bytes", - "Workspace SHA256: $workspaceBinaryHash", - "Binary to scan: $binaryPath", - "Binary size: $($scanBinaryItem.Length) bytes", - "Binary SHA256: $scanBinaryHash", + "Workspace binary: $workspaceBinaryPath", + "Workspace size: $($stableBinaryItem.Length) bytes", + "Workspace SHA256: $workspaceBinaryHash", + "Binary to scan: $binaryPath", + "Binary size: $($scanBinaryItem.Length) bytes", + "Binary SHA256: $scanBinaryHash", "==========================================", "", "=== MpCmdRun output ===", $outputText, "Exit code: $scanExitCode", "=======================" - ) -join "`n" | Set-Content -Path $logFile -Encoding UTF8 + ) -join "`n" + try { + Set-Content -Path $logFile -Value $logContent -Encoding UTF8 + } catch { + Write-Host "Warning: could not write defender scan log file: $_" + } # Exit code alone is not enough: explicitly parse output to confirm scan execution. $skipped = $output | Where-Object { $_ -imatch "\bwas skipped\b|\bcannot be scanned\b|\bnot performed\b|\b(?:file|scan).*\bexcluded\b" }