ci: store Windows Defender scan logs as artifact on cross-platform build

.github/workflows/cgo.yml

@@ -1854,6 +1854,65 @@ jobs:
         Write-Host "Exit code: $scanExitCode"
         Write-Host "======================="
 
+        # Write diagnostic info and scan output to a log file for artifact upload.
+        $logFile = Join-Path $env:RUNNER_TEMP "defender-scan-log.txt"
+        $mpStatusLines = if ($mpStatus) {
+          @(
+            "AntivirusEnabled: $($mpStatus.AntivirusEnabled)",
+            "RealTimeProtectionEnabled: $($mpStatus.RealTimeProtectionEnabled)",
+            "AntivirusSignatureVersion: $($mpStatus.AntivirusSignatureVersion)",
+            "AntivirusSignatureLastUpdated: $($mpStatus.AntivirusSignatureLastUpdated)",
+            "AMProductVersion: $($mpStatus.AMProductVersion)",
+            "AMEngineVersion: $($mpStatus.AMEngineVersion)",
+            "AMRunningMode: $($mpStatus.AMRunningMode)",
+            "IoavProtectionEnabled: $($mpStatus.IoavProtectionEnabled)"
+          )
+        } else {
+          @("(Get-MpComputerStatus unavailable)")
+        }
+        $mpPrefLines = if ($mpPreference) {
+          @(
+            "ExclusionPath: $(@($mpPreference.ExclusionPath) -join '; ')",
+            "ExclusionExtension: $(@($mpPreference.ExclusionExtension) -join '; ')",
+            "ExclusionProcess: $(@($mpPreference.ExclusionProcess) -join '; ')",
+            "ExclusionIpAddress: $(@($mpPreference.ExclusionIpAddress) -join '; ')"
+          )
+        } else {
+          @("(Get-MpPreference unavailable)")
+        }
+        $winDefendLines = if ($winDefendService) {
+          @(
+            "WinDefend service status: $($winDefendService.Status)",
+            "WinDefend service start: $($winDefendService.StartType)"
+          )
+        } else {
+          @("(WinDefend service unavailable)")
+        }
+        $logContent = @(
+          "=== Microsoft Defender diagnostic info ===",
+          ($mpStatusLines -join "`n"),
+          ($mpPrefLines -join "`n"),
+          ($winDefendLines -join "`n"),
+          "MpCmdRun.exe path: $mpCmdRun",
+          "Workspace binary: $workspaceBinaryPath",
+          "Workspace size: $($stableBinaryItem.Length) bytes",
+          "Workspace SHA256: $workspaceBinaryHash",
+          "Binary to scan: $binaryPath",
+          "Binary size: $($scanBinaryItem.Length) bytes",
+          "Binary SHA256: $scanBinaryHash",
+          "==========================================",
+          "",
+          "=== MpCmdRun output ===",
+          $outputText,
+          "Exit code: $scanExitCode",
+          "======================="
+        ) -join "`n"
+        try {
+          Set-Content -Path $logFile -Value $logContent -Encoding UTF8
+        } catch {
+          Write-Host "Warning: could not write defender scan log file: $_"
+        }
+
         # Exit code alone is not enough: explicitly parse output to confirm scan execution.
         $skipped = $output | Where-Object { $_ -imatch "\bwas skipped\b|\bcannot be scanned\b|\bnot performed\b|\b(?:file|scan).*\bexcluded\b" }
         $threatLines = $output | Where-Object { $_ -match "\bThreat\b" }
@@ -1882,6 +1941,14 @@ jobs:
 
         Write-Host "✅ Microsoft Defender scan completed successfully for $binaryPath"
 
+    - name: Upload Defender scan logs
+      if: always() && runner.os == 'Windows'
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02   # v4
+      with:
+        name: defender-scan-log-${{ github.run_id }}-${{ github.run_attempt }}
+        path: ${{ runner.temp }}/defender-scan-log.txt
+        retention-days: 7
+
     - name: Create test workflow
       shell: bash
       run: |