-
Notifications
You must be signed in to change notification settings - Fork 0
181 lines (168 loc) Β· 7.62 KB
/
windows.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
name: πͺ
on:
push:
tags:
- 'v*'
branches:
- main
paths:
- '.github/workflows/windows.yml'
- 'windows**'
- '**.go'
- 'go.*'
- 'config'
- '!**.md'
pull_request:
paths:
- '.github/workflows/windows.yml'
- 'windows**'
- '**.go'
- 'go.*'
- 'config'
- '!**.md'
workflow_dispatch:
permissions:
contents: write
pull-requests: write
checks: read # For private repositories
actions: read # For private repositories
defaults:
run:
# To respect exit code and make fail-fast behaviors. See GH-617
#
# NOTE: `pwsh` specifier is defined in below
# - https://github.com/actions/runner/blob/6d7446a45ebc638a842895d5742d6cf9afa3b66d/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L16-L17
# - https://github.com/actions/runner/blob/6d7446a45ebc638a842895d5742d6cf9afa3b66d/src/Runner.Worker/Handlers/ScriptHandlerHelpers.cs#L60-L65
shell: |
pwsh -command "$PSNativeCommandUseErrorActionPreference = $true; $ErrorActionPreference = 'stop'; . '{0}'"
jobs:
inspect_runner:
runs-on: windows-2022
steps:
- name: Print some variables which is applied in GH-617
run: |
$PSVersionTable
$PSNativeCommandUseErrorActionPreference
$ErrorActionPreference
# This job has many comment-out style note, agree to ugly, but do NOT remove for now.
# See #443 for detail.
#
# Not Terraform :)
terraform:
runs-on: windows-2022
steps:
- name: Prepare Windows Defender
# https://github.com/actions/runner-images/issues/855#issuecomment-626692949 may help to understand
run: |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures
# https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/build/Configure-WindowsDefender.ps1#L38-L44
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection' -Name 'ForceDefenderPassiveMode' -Value '0' -Type 'DWORD'
Start-Service -DisplayName *Defend* -WhatIf
Start-Service -Name WinDefend
# Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
# Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"
# I can't find any resource of this key in web also GitHub, but Copilot said... So testing in action runner may be interest :)
# Set-ItemProperty -Force -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" -Name JoinMicrosoftSpyNet -Value 1
# Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"
# Remove cache: https://news.mynavi.jp/article/win10tips-410/
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures
# Enable cloud-based protection
Set-MpPreference -MAPSReporting Advanced
# Enable automatic sample submission
Set-MpPreference -SubmitSamplesConsent SendSafeSamples
# Restart-Service -Name WinDefend
Set-Service -Name wuauserv -StartupType Manual -Status Running
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
Update-MpSignature
# Restart-Service -Name WinDefend
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures
# Disable to skip(=Enable). When I removed, `Scanning D:\a\dotfiles\dotfiles\distributed-artifact.zip was skipped.` logged
Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
- name: Make sure dynamic signatures are enabled ... or not
run: |
Get-MpComputerStatus
# Remove this to raise error if you REALIZED to enable Dynamic Signature scans
# if (!((& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures) | Select-String -Pattern "SignatureSet ID:")) {
# Exit 42
# }
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures
- uses: actions/checkout@v4
with:
# KEEP fetch-depth for gh command
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache-dependency-path: 'go.sum'
- name: List files - before build
run: Get-ChildItem
- name: Build winit-*
# unnecessary to build wsl-* here, it should be done in linux runners
run: |
go build -o 'dist/' ./cmd/winit-reg
go build -o 'dist/' ./cmd/winit-conf
- name: List files - after build
run: |
Get-ChildItem
Get-ChildItem -Recurse .\dist
- name: Upload artifact
id: upload-artifact
uses: actions/upload-artifact@v4
with:
name: winit
path: dist
- name: Download the artifact to make sure we can actually use it
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" `
repos/${{ github.repository }}/actions/artifacts/${{ steps.upload-artifact.outputs.artifact-id }}/zip > distributed-artifact.zip
- name: Check Windows Defender does not false positive detect the product
run: |
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\dist"
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\distributed-artifact.zip"
# Do not enable this as possible, too slow ... Scanning all folders with this option? :<
# Start-MpScan -ScanPath "$pwd"
Get-MpThreat
Get-MpThreatDetection
# Skipping because of bit slow...
# - name: Collect Defender log
# run: |
# New-Item -Force -ItemType "Directory" -Path MpCmdRun-logs
# & "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles -SupportLogLocation "$(pwd)\MpCmdRun-logs"
#
# Enable this section when you want to update logics and check it
# - name: Upload artifact
# id: upload-defender-log
# uses: actions/upload-artifact@v4
# with:
# name: MpCmdRun-logs
# path: MpCmdRun-logs/**
#
# Do not write depending winget logcs for now
# - windows-2025 definitely enable it by default
# - windows-2022 may realize with the action: https://github.com/microsoft/winget-cli/issues/3872
# - proposal: https://github.com/actions/runner-images/issues/910
# - note: https://github.com/microsoft/winget-cli/blob/b07d2ebb7d865f95320e2bc708a2d1efb2152c5a/README.md#L14
- name: Rebel against unacceptable default
run: |
.\dist\winit-reg.exe list
.\dist\winit-reg.exe run --all
# This logics can be finished even if tools are not installed
- name: Put config files around terminals
run: |
Write-Host "$PROFILE"
.\dist\winit-conf.exe run
Install-Module -Force -Name PSFzfHistory
.\dist\winit-conf.exe generate -path="config/powershell/Profile.ps1" > "$PROFILE"
- name: Make sure it correctly copied some config files
run: |
Test-Path "$PROFILE"
Get-Content "$PROFILE"
- name: Release the product
if: startsWith(github.ref, 'refs/tags/')
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release create --verify-tag "$GITHUB_REF_NAME" --title "$GITHUB_REF_NAME" dist/*.exe