Devops/3415 windows virus false positive #3421
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- add job-level if: to run only on release/workflow_dispatch - add Resolve release tag step (supports manual input + last release fallback) - harden MpCmdRun.exe resolution on windows-latest This prevents PR runs from failing when github.event.release.tag_name is undefined and makes manual runs usable.
- Add PR/push jobs for ClamAV (Linux) and Windows Defender (Windows) - Keep release/workflow_dispatch jobs for scanning published assets - No secret usage in PR/push jobs; uses repo/build outputs or repo archive - Upload PR scan payload/logs as artifacts
- Detect common stacks and attempt install+build for each - Package best available outputs (dist/build/target/release) for scanning - Keep release/manual job unchanged
- Enable corepack; prep yarn if yarn.lock present - Make Node/Rust/Go builds best-effort (won't fail the job) - Use tar.gz instead of zip to avoid zip dependency - Keep scanning entire dist-pr directory with --scan-archive=yes
- Detect bun.lockb and use oven-sh/setup-bun@v1 - Run `bun install` + `bun run build` before packaging - Keep Node/Rust/Go heuristics as fallback
… shell - Replace oven-sh/setup-bun with curl installer and PATH export - Drop pnpm/action-setup; use corepack to activate pnpm/yarn - Replace dtolnay/rust-toolchain with rustup bootstrap - Add defaults.run.shell: bash; small permissions tweaks - Keep Go using first‑party actions/setup-go@v5 - Include schedule in release job guard to avoid skipped runs
… zip contention) - owasp: use dependency-check/[email protected] and cache DC data - clamav: install freshclam db before clamscan; package build outputs for PRs; scan release assets - defender: handle zip handle contention; scan release assets and surface detections
…args --out); avoid zip handle contention by using unique filename and glob for scan/upload
…:riatzukiza/opencode into devops/3415-windows-virus-false-positive
…o bun; stage outputs; extract before clamscan for real file counts
… with bsdtar + retries; then Move-Item into dist-pr
…kip policy; attach detections JSON in artifact
…les; upload from 'reports' (action default)
…tion), package build output and scan with ClamAV
… outputs, extract + scan with ClamAV, upload logs + payload
…ication to next step
…(bundle/opencode.zip)
…dle/opencode.zip; scan extracted bundle
…le; upload bundle
…e.zip; scan extracted directory; upload detections
… PR/release/dispatch share one build via composite; deprecate old PR/Release files
…sent); package dist/build if present else repo minus heavy dirs
…prettier script defined)
…up-bun for back-compat with existing workflows
…vert non-security change to script/format.ts
…rus-false-positive
…s artifact and defender job scans extracted dir
…sitive' into devops/3415-windows-virus-false-positive
…/.bun if cached version != requested; keep bun install step
… verify exact version. build-package now uses this action.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
addresses #3415