From 9d8ba9f64dbb9d797e839e84c401802a1915333d Mon Sep 17 00:00:00 2001 From: Kenichi Kamiya Date: Fri, 8 Mar 2024 02:21:23 +0900 Subject: [PATCH] Attempt to prevent false positive detections by Windows Defender (#443) * Run Windows Defender for Go product in CI except Dynamic Signatures * Merge duplicate compiling Go workflows * Note as comment in the new Windows action for how to dig or fight with Windows Defender * Reinstall the Go compiler in Windows I couldn't complete the first purpose, but this closes #442 for now. --- .github/workflows/ci-windows.yml | 60 ------- .github/workflows/container.yml | 10 -- .github/workflows/release.yml | 68 -------- .github/workflows/windows.yml | 163 +++++++++++++++++++ .goreleaser.yaml | 8 +- README.md | 2 +- config/windows/README.md | 2 +- config/windows/winget/winget-pkgs-basic.json | 3 + 8 files changed, 172 insertions(+), 144 deletions(-) delete mode 100644 .github/workflows/ci-windows.yml delete mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/windows.yml diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml deleted file mode 100644 index 257731aa..00000000 --- a/.github/workflows/ci-windows.yml +++ /dev/null @@ -1,60 +0,0 @@ -name: CI - Windows - -on: - push: - branches: - - main - paths: - - '.github/workflows/ci-windows.yml' - - '**.go' - - 'go.*' - pull_request: - paths: - - '.github/workflows/ci-windows.yml' - - '**.go' - - 'go.*' - workflow_dispatch: - -defaults: - run: - shell: pwsh - -jobs: - setup: - runs-on: windows-2022 - steps: - - uses: actions/checkout@v4 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version-file: 'go.mod' - cache-dependency-path: 'go.sum' - - name: Make sure there are what files before build - run: Get-ChildItem - - name: Build winit-* # Avoiding run to measure which step taking minutes - run: | - # go build does not automatically create the directory - New-Item -Force -ItemType "Directory" -Path dist - # Need -o to keep product in multiple packages - go build -o dist -v .\... - - name: Make sure there are what files after build - run: | - Get-ChildItem - Get-ChildItem .\dist - # Do not write depending winget and WSL2 logcs for now - # https://github.com/microsoft/winget-cli/issues/3872 - # https://github.com/actions/runner-images/issues/910 - # https://github.com/microsoft/winget-cli/blob/b07d2ebb7d865f95320e2bc708a2d1efb2152c5a/README.md#L14 - - name: Rebel against unacceptable default - run: | - .\dist\winit-reg.exe list - .\dist\winit-reg.exe run --all - # This logics can be finished even if tools are not installed - - name: Put config files around terminals - run: | - Write-Host "$PROFILE" - .\dist\winit-conf.exe run --pwsh_profile_path="$PROFILE" - - name: Make sure correctly copied - run: | - Test-Path "$PROFILE" - Get-Content "$PROFILE" diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 5af6380a..5844a430 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -30,16 +30,6 @@ jobs: containerfiles: | Containerfile oci: true - - name: Wait other jobs - uses: kachick/wait-other-jobs@v2 - timeout-minutes: 10 - with: - skip-list: | - [ - { - "workflowFile": "release.yml" - } - ] - name: Push To ghcr.io id: push-to-ghcr if: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 5a1caf85..00000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,68 +0,0 @@ -name: goreleaser - -on: - push: - tags: - - 'v*' - pull_request: - paths: - - '.github/workflows/release.yml' - - '**.go' - - 'go.*' - - '.goreleaser.yaml' - workflow_dispatch: - -permissions: - contents: write - pull-requests: write - checks: read # For private repositories - actions: read # For private repositories - -jobs: - goreleaser: - runs-on: windows-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@v5 - with: - go-version-file: 'go.mod' - cache-dependency-path: 'go.sum' - - name: Wait other jobs - uses: kachick/wait-other-jobs@v2 - if: startsWith(github.ref, 'refs/tags/') - timeout-minutes: 30 - with: - skip-list: | - [ - { - "workflowFile": "container.yml" - } - ] - - name: Run GoReleaser - uses: goreleaser/goreleaser-action@v5 - if: startsWith(github.ref, 'refs/tags/') - with: - distribution: goreleaser - version: 'v1.24.0' # selfup { "regex": "\\d[^']+", "script": "goreleaser --version | grep 'GitVersion:' | tr -s ' ' | cut -d ' ' -f 2" } - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Check the release step are valid or not in non tagged triggers - uses: goreleaser/goreleaser-action@v5 - # https://github.com/orgs/community/discussions/26386 - if: ${{ !startsWith(github.ref, 'refs/tags/') }} - with: - distribution: goreleaser - version: 'v1.24.0' # selfup { "regex": "\\d[^']+", "script": "goreleaser --version | grep 'GitVersion:' | tr -s ' ' | cut -d ' ' -f 2" } - args: build --snapshot --clean - # https://github.com/goreleaser/goreleaser-action/tree/5fdedb94abba051217030cc86d4523cf3f02243d#upload-artifacts - - name: Upload assets - uses: actions/upload-artifact@v4 - if: ${{ !startsWith(github.ref, 'refs/tags/') }} - with: - name: tools - path: dist/**/*.exe diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml new file mode 100644 index 00000000..197531f9 --- /dev/null +++ b/.github/workflows/windows.yml @@ -0,0 +1,163 @@ +name: Windows + +on: + push: + tags: + - 'v*' + branches: + - main + paths: + - '.github/workflows/windows.yml' + - '**.go' + - 'go.*' + - '.goreleaser.yaml' + - 'config' + pull_request: + paths: + - '.github/workflows/windows.yml' + - '**.go' + - 'go.*' + - '.goreleaser.yaml' + - 'config' + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + checks: read # For private repositories + actions: read # For private repositories + +defaults: + run: + shell: pwsh + +jobs: + # This job has many comment-out tyle note, agree to ugly, but do NOT remove for now. + # See #443 for detail. + terraform: # Not Terraform :) + runs-on: windows-2022 + steps: + - name: Prepare Windows Defender + # https://github.com/actions/runner-images/issues/855#issuecomment-626692949 may help to understand + run: | + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures + + # https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/build/Configure-WindowsDefender.ps1#L38-L44 + Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection' -Name 'ForceDefenderPassiveMode' -Value '0' -Type 'DWORD' + Start-Service -DisplayName *Defend* -WhatIf + Start-Service -Name WinDefend + + # Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" + # Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" + # I can't find any resource of this key in web also GitHub, but Copilot said... So testing in action runner may be interest :) + # Set-ItemProperty -Force -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" -Name JoinMicrosoftSpyNet -Value 1 + # Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" + + # Remove cache: https://news.mynavi.jp/article/win10tips-410/ + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures + + # Enable cloud-based protection + Set-MpPreference -MAPSReporting Advanced + # Enable automatic sample submission + Set-MpPreference -SubmitSamplesConsent SendSafeSamples + # Restart-Service -Name WinDefend + + Set-Service -Name wuauserv -StartupType Manual -Status Running + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate + Update-MpSignature + # Restart-Service -Name WinDefend + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures + + # Disable to skip(=Enable). When I removed, `Scanning D:\a\dotfiles\dotfiles\distributed-artifact.zip was skipped.` logged + Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath + - name: Make sure dynamic signatures are enabled ... or not + run: | + Get-MpComputerStatus + + # Remove this to raise error if you REALIZED to enable Dynamic Signature scans + # if (!((& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures) | Select-String -Pattern "SignatureSet ID:")) { + # Exit 42 + # } + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures + - uses: actions/checkout@v4 + with: + # KEEP fetch-depth for goreleaser + # https://github.com/goreleaser/goreleaser-action/blob/696b757ee8f3742e68b261173b9eeeb96306a57f/README.md?plain=1#L77 + fetch-depth: 0 + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + cache-dependency-path: 'go.sum' + - name: Install goreleaser + uses: goreleaser/goreleaser-action@v5 + with: + install-only: true + version: 'v1.24.0' # selfup { "regex": "\\d[^']+", "script": "goreleaser --version | grep 'GitVersion:' | tr -s ' ' | cut -d ' ' -f 2" } + - name: List files - before build + run: Get-ChildItem + - name: Build winit-* + run: goreleaser build --snapshot --clean + - name: List files - after build + run: | + Get-ChildItem + Get-ChildItem -Recurse .\dist + # https://github.com/goreleaser/goreleaser-action/tree/5fdedb94abba051217030cc86d4523cf3f02243d#upload-artifacts + - name: Upload artifact + id: upload-artifact + uses: actions/upload-artifact@v4 + with: + name: winit + path: dist/**/*.exe + - name: Download the artifact to make sure we can actually use it + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" ` + repos/${{ github.repository }}/actions/artifacts/${{ steps.upload-artifact.outputs.artifact-id }}/zip > distributed-artifact.zip + - name: Check Windows Defender does not false positive detect the product + run: | + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\dist" + & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\distributed-artifact.zip" + + # Do not enable this as possible, too slow ... Scanning all folders with this option? :< + # Start-MpScan -ScanPath "$pwd" + + Get-MpThreat + Get-MpThreatDetection + # Skipping because of bit slow... + # - name: Collect Defender log + # run: | + # New-Item -Force -ItemType "Directory" -Path MpCmdRun-logs + # & "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles -SupportLogLocation "$(pwd)\MpCmdRun-logs" + # + # Enable this section when you want to update logics and check it + # - name: Upload artifact + # id: upload-defender-log + # uses: actions/upload-artifact@v4 + # with: + # name: MpCmdRun-logs + # path: MpCmdRun-logs/** + # + # Do not write depending winget logcs for now + # - windows-2025 definitely enable it by default + # - windows-2022 may realize with the action: https://github.com/microsoft/winget-cli/issues/3872 + # - proposal: https://github.com/actions/runner-images/issues/910 + # - note: https://github.com/microsoft/winget-cli/blob/b07d2ebb7d865f95320e2bc708a2d1efb2152c5a/README.md#L14 + - name: Rebel against unacceptable default + run: | + .\dist\winit-reg_windows_amd64_v1\winit-reg.exe list + .\dist\winit-reg_windows_amd64_v1\winit-reg.exe run --all + # This logics can be finished even if tools are not installed + - name: Put config files around terminals + run: | + Write-Host "$PROFILE" + .\dist\winit-conf_windows_amd64_v1\winit-conf.exe run -pwsh_profile_path "$PROFILE" + - name: Make sure it correctly copied some config files + run: | + Test-Path "$PROFILE" + Get-Content "$PROFILE" + - name: Release the product + if: startsWith(github.ref, 'refs/tags/') + run: | + goreleaser release --clean diff --git a/.goreleaser.yaml b/.goreleaser.yaml index c36cd329..f8f14742 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -2,10 +2,10 @@ # Make sure to check the documentation at https://goreleaser.com before: hooks: - # You may remove this if you don't use go modules. - - go mod tidy - # you may remove this if you don't need go generate - - go generate ./... + # # You may remove this if you don't use go modules. + # - go mod tidy + # # you may remove this if you don't need go generate + # - go generate ./... # https://github.com/orgs/goreleaser/discussions/1531 builds: - id: winit-reg diff --git a/README.md b/README.md index 4d95baba..f52496ec 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # dotfiles [![Home Status](https://github.com/kachick/dotfiles/actions/workflows/ci-home.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-home.yml?query=branch%3Amain+) -[![Home Status](https://github.com/kachick/dotfiles/actions/workflows/ci-windows.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-windows.yml?query=branch%3Amain+) +[![Home Status](https://github.com/kachick/dotfiles/actions/workflows/windows.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/windows.yml?query=branch%3Amain+) [![Nix Status](https://github.com/kachick/dotfiles/actions/workflows/ci-nix.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-nix.yml?query=branch%3Amain+) [![CI - Go Status](https://github.com/kachick/dotfiles/actions/workflows/ci-go.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-go.yml?query=branch%3Amain+) [![Container Status](https://github.com/kachick/dotfiles/actions/workflows/container.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/container.yml?query=branch%3Amain+) diff --git a/config/windows/README.md b/config/windows/README.md index acececf7..1a55ccf9 100644 --- a/config/windows/README.md +++ b/config/windows/README.md @@ -4,7 +4,7 @@ Basically following codes will be done in PowerShell -1. Download the windows helper binaries from [GitHub releases](https://github.com/kachick/dotfiles/releases) or uploaded artifacts in [each workflow](https://github.com/kachick/dotfiles/actions/workflows/release.yml) summary +1. Download the windows helper binaries from [GitHub releases](https://github.com/kachick/dotfiles/releases) or uploaded artifacts in [each workflow](https://github.com/kachick/dotfiles/actions/workflows/windows.yml) summary 1. New session of pwsh ```powershell ./winit-conf.exe run -pwsh_profile_path "$PROFILE" diff --git a/config/windows/winget/winget-pkgs-basic.json b/config/windows/winget/winget-pkgs-basic.json index 485df2f1..422ecb9c 100644 --- a/config/windows/winget/winget-pkgs-basic.json +++ b/config/windows/winget/winget-pkgs-basic.json @@ -64,6 +64,9 @@ { "PackageIdentifier": "Starship.Starship" }, + { + "PackageIdentifier": "GoLang.Go" + }, { "PackageIdentifier": "Microsoft.VisualStudioCode" }