Attempt to prevent false positive detections by Windows Defender

.github/workflows/container.yml

@@ -30,16 +30,6 @@ jobs:
           containerfiles: |
             Containerfile
           oci: true
-      - name: Wait other jobs
-        uses: kachick/wait-other-jobs@v2
-        timeout-minutes: 10
-        with:
-          skip-list: |
-            [
-              {
-                "workflowFile": "release.yml"
-              }
-            ]
       - name: Push To ghcr.io
         id: push-to-ghcr
         if: ${{ github.event_name != 'pull_request' }}

.github/workflows/windows.yml

@@ -0,0 +1,163 @@
+name: Windows
+
+on:
+  push:
+    tags:
+      - 'v*'
+    branches:
+      - main
+    paths:
+      - '.github/workflows/windows.yml'
+      - '**.go'
+      - 'go.*'
+      - '.goreleaser.yaml'
+      - 'config'
+  pull_request:
+    paths:
+      - '.github/workflows/windows.yml'
+      - '**.go'
+      - 'go.*'
+      - '.goreleaser.yaml'
+      - 'config'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  checks: read # For private repositories
+  actions: read # For private repositories
+
+defaults:
+  run:
+    shell: pwsh
+
+jobs:
+  # This job has many comment-out tyle note, agree to ugly, but do NOT remove for now.
+  # See #443 for detail.
+  terraform: # Not Terraform :)
+    runs-on: windows-2022
+    steps:
+      - name: Prepare Windows Defender
+        # https://github.com/actions/runner-images/issues/855#issuecomment-626692949 may help to understand
+        run: |
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures
+
+          # https://github.com/actions/runner-images/blob/61df9288f9be9f6aeaaaa4ad52a7332432913fc3/images/windows/scripts/build/Configure-WindowsDefender.ps1#L38-L44
+          Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection' -Name 'ForceDefenderPassiveMode' -Value '0' -Type 'DWORD'
+          Start-Service -DisplayName *Defend* -WhatIf
+          Start-Service -Name WinDefend
+
+          # Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender"
+          # Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"
+          # I can't find any resource of this key in web also GitHub, but Copilot said... So testing in action runner may be interest :)
+          # Set-ItemProperty -Force -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet" -Name JoinMicrosoftSpyNet -Value 1
+          # Get-Item -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet"
+
+          # Remove cache: https://news.mynavi.jp/article/win10tips-410/
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures
+
+          # Enable cloud-based protection
+          Set-MpPreference -MAPSReporting Advanced
+          # Enable automatic sample submission
+          Set-MpPreference -SubmitSamplesConsent SendSafeSamples
+          # Restart-Service -Name WinDefend
+
+          Set-Service -Name wuauserv -StartupType Manual -Status Running
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
+          Update-MpSignature
+          # Restart-Service -Name WinDefend
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures
+
+          # Disable to skip(=Enable). When I removed, `Scanning D:\a\dotfiles\dotfiles\distributed-artifact.zip was skipped.` logged
+          Remove-MpPreference -ExclusionPath (Get-MpPreference).ExclusionPath
+      - name: Make sure dynamic signatures are enabled ... or not
+        run: |
+          Get-MpComputerStatus
+
+          # Remove this to raise error if you REALIZED to enable Dynamic Signature scans
+          # if (!((& "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures) | Select-String -Pattern "SignatureSet ID:")) {
+          #   Exit 42
+          # }
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -ListAllDynamicSignatures
+      - uses: actions/checkout@v4
+        with:
+          # KEEP fetch-depth for goreleaser
+          # https://github.com/goreleaser/goreleaser-action/blob/696b757ee8f3742e68b261173b9eeeb96306a57f/README.md?plain=1#L77
+          fetch-depth: 0
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          cache-dependency-path: 'go.sum'
+      - name: Install goreleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          install-only: true
+          version: 'v1.24.0' # selfup { "regex": "\\d[^']+", "script": "goreleaser --version | grep 'GitVersion:' | tr -s ' ' | cut -d ' ' -f 2" }
+      - name: List files - before build
+        run: Get-ChildItem
+      - name: Build winit-*
+        run: goreleaser build --snapshot --clean
+      - name: List files - after build
+        run: |
+          Get-ChildItem
+          Get-ChildItem -Recurse .\dist
+      # https://github.com/goreleaser/goreleaser-action/tree/5fdedb94abba051217030cc86d4523cf3f02243d#upload-artifacts
+      - name: Upload artifact
+        id: upload-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: winit
+          path: dist/**/*.exe
+      - name: Download the artifact to make sure we can actually use it
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" `
+            repos/${{ github.repository }}/actions/artifacts/${{ steps.upload-artifact.outputs.artifact-id }}/zip > distributed-artifact.zip
+      - name: Check Windows Defender does not false positive detect the product
+        run: |
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\dist"
+          & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -Trace -File "$(pwd)\distributed-artifact.zip"
+
+          # Do not enable this as possible, too slow ... Scanning all folders with this option? :<
+          # Start-MpScan -ScanPath "$pwd"
+
+          Get-MpThreat
+          Get-MpThreatDetection
+      # Skipping because of bit slow...
+      # - name: Collect Defender log
+      #   run: |
+      #     New-Item -Force -ItemType "Directory" -Path MpCmdRun-logs
+      #     & "C:\Program Files\Windows Defender\MpCmdRun.exe" -GetFiles -SupportLogLocation "$(pwd)\MpCmdRun-logs"
+      #
+      # Enable this section when you want to update logics and check it
+      # - name: Upload artifact
+      #   id: upload-defender-log
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: MpCmdRun-logs
+      #     path: MpCmdRun-logs/**
+      #
+      # Do not write depending winget logcs for now
+      # - windows-2025 definitely enable it by default
+      # - windows-2022 may realize with the action: https://github.com/microsoft/winget-cli/issues/3872
+      # - proposal: https://github.com/actions/runner-images/issues/910
+      # - note: https://github.com/microsoft/winget-cli/blob/b07d2ebb7d865f95320e2bc708a2d1efb2152c5a/README.md#L14
+      - name: Rebel against unacceptable default
+        run: |
+          .\dist\winit-reg_windows_amd64_v1\winit-reg.exe list
+          .\dist\winit-reg_windows_amd64_v1\winit-reg.exe run --all
+      # This logics can be finished even if tools are not installed
+      - name: Put config files around terminals
+        run: |
+          Write-Host "$PROFILE"
+          .\dist\winit-conf_windows_amd64_v1\winit-conf.exe run -pwsh_profile_path "$PROFILE"
+      - name: Make sure it correctly copied some config files
+        run: |
+          Test-Path "$PROFILE"
+          Get-Content "$PROFILE"
+      - name: Release the product
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          goreleaser release --clean

.goreleaser.yaml

@@ -2,10 +2,10 @@
 # Make sure to check the documentation at https://goreleaser.com
 before:
   hooks:
-    # You may remove this if you don't use go modules.
-    - go mod tidy
-    # you may remove this if you don't need go generate
-    - go generate ./...
+    # # You may remove this if you don't use go modules.
+    # - go mod tidy
+    # # you may remove this if you don't need go generate
+    # - go generate ./...
 # https://github.com/orgs/goreleaser/discussions/1531
 builds:
   - id: winit-reg

README.md

@@ -1,7 +1,7 @@
 # dotfiles
 
 [![Home Status](https://github.com/kachick/dotfiles/actions/workflows/ci-home.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-home.yml?query=branch%3Amain+)
-[![Home Status](https://github.com/kachick/dotfiles/actions/workflows/ci-windows.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-windows.yml?query=branch%3Amain+)
+[![Home Status](https://github.com/kachick/dotfiles/actions/workflows/windows.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/windows.yml?query=branch%3Amain+)
 [![Nix Status](https://github.com/kachick/dotfiles/actions/workflows/ci-nix.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-nix.yml?query=branch%3Amain+)
 [![CI - Go Status](https://github.com/kachick/dotfiles/actions/workflows/ci-go.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/ci-go.yml?query=branch%3Amain+)
 [![Container Status](https://github.com/kachick/dotfiles/actions/workflows/container.yml/badge.svg?branch=main)](https://github.com/kachick/dotfiles/actions/workflows/container.yml?query=branch%3Amain+)

config/windows/README.md

@@ -4,7 +4,7 @@
 
 Basically following codes will be done in PowerShell
 
-1. Download the windows helper binaries from [GitHub releases](https://github.com/kachick/dotfiles/releases) or uploaded artifacts in [each workflow](https://github.com/kachick/dotfiles/actions/workflows/release.yml) summary
+1. Download the windows helper binaries from [GitHub releases](https://github.com/kachick/dotfiles/releases) or uploaded artifacts in [each workflow](https://github.com/kachick/dotfiles/actions/workflows/windows.yml) summary
 1. New session of pwsh
    ```powershell
    ./winit-conf.exe run -pwsh_profile_path "$PROFILE"

config/windows/winget/winget-pkgs-basic.json

@@ -64,6 +64,9 @@
         {
           "PackageIdentifier": "Starship.Starship"
         },
+        {
+          "PackageIdentifier": "GoLang.Go"
+        },
         {
           "PackageIdentifier": "Microsoft.VisualStudioCode"
         }