ci(smoke): fail soft when the Windows Defender scan engine can't run#959
Open
DeusData wants to merge 1 commit into
Open
ci(smoke): fail soft when the Windows Defender scan engine can't run#959DeusData wants to merge 1 commit into
DeusData wants to merge 1 commit into
Conversation
The Defender step treated any non-zero MpCmdRun exit as 'flagged binary!' and failed the job. But MpCmdRun -Scan returns 2 for a real detection and 0 for clean; any other non-zero means the scan engine itself could not run (e.g. hr=0x800106ba: the Defender antimalware service is unavailable on the runner), which is a transient runner-side flake, not a detection. This false-failed the v0.9.0 release on its first attempt. Only exit 2 now hard- blocks; an engine failure emits a warning and continues. Signed-off-by: Martin Vogel <martin.vogel.tech@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Windows Defender scanstep in_smoke.ymltreated any non-zeroMpCmdRunexit as a malware detection ("BLOCKED: flagged binary!"; exit 1). ButMpCmdRun -Scanreturns 2 for a real detection and 0 for clean; any other non-zero means the scan engine could not run at all — e.g.hr=0x800106ba, the Defender antimalware service being unavailable on the runner, a chronic transient flake on GitHub's windows-arm64 runners.This false-failed the v0.9.0 release on its first attempt (a re-run on a fresh runner passed). Worse, the "flagged binary!" wording mislabels a runner outage as malware.
Change
Distinguish the two: only exit 2 (an actual detection) hard-blocks; an engine failure emits
::warning::and continues.CI-change scope (per repo policy)