Skip to content

Devops/3415 windows virus false positive#3421

Closed
riatzukiza wants to merge 77 commits intoanomalyco:devfrom
riatzukiza:devops/3415-windows-virus-false-positive
Closed

Devops/3415 windows virus false positive#3421
riatzukiza wants to merge 77 commits intoanomalyco:devfrom
riatzukiza:devops/3415-windows-virus-false-positive

Conversation

@riatzukiza
Copy link
Contributor

@riatzukiza riatzukiza commented Oct 24, 2025

addresses #3415

@riatzukiza riatzukiza marked this pull request as ready for review October 25, 2025 02:22
@riatzukiza riatzukiza marked this pull request as draft October 25, 2025 05:28
thdxr and others added 28 commits October 31, 2025 08:36
@thdxr @riatzukiza
ci: ignore
6b96d74
@thdxr @riatzukiza
ci: ignore
240cb99
@rekram1-node @riatzukiza
fix: unawaited promise causes opencode to use unenabled formatter (an…
0aa9209 
…omalyco#625)
@timoclsn @riatzukiza
fix: typescript error (anomalyco#618)
16dc215
@thdxr @riatzukiza
ignore: ci
f05aa93
@thdxr @riatzukiza
ci: ignore
4eeb30f
@riatzukiza
Add opencode workflow
995d428
@riatzukiza
Add opencode workflow
9ba1d12
@riatzukiza
Add opencode workflow
0ddf87d
@riatzukiza
Add opencode workflow
57e3aa6
@riatzukiza
Add opencode workflow
9495401
@riatzukiza
add threat scanning workflows
402937f
@riatzukiza
adjusted event triggers
4eccc1a
@riatzukiza
reverting accidental edit
ba866b1
@riatzukiza
ci: guard AV workflows on PRs + robust tag resolution
6425c63 
- add job-level if: to run only on release/workflow_dispatch
- add Resolve release tag step (supports manual input + last release fallback)
- harden MpCmdRun.exe resolution on windows-latest

This prevents PR runs from failing when github.event.release.tag_name is undefined and makes manual runs usable.
@riatzukiza
ci: enable PR/push AV scans (no releases required)
06127b2 
- Add PR/push jobs for ClamAV (Linux) and Windows Defender (Windows)
- Keep release/workflow_dispatch jobs for scanning published assets
- No secret usage in PR/push jobs; uses repo/build outputs or repo archive
- Upload PR scan payload/logs as artifacts
@riatzukiza
ci: add heuristic build steps to PR ClamAV job (Node/Rust/Go)
c96006b 
- Detect common stacks and attempt install+build for each
- Package best available outputs (dist/build/target/release) for scanning
- Keep release/manual job unchanged
@riatzukiza
ci: harden heuristic PR build (corepack, non-fatal builds, tarball)
f4d2191 
- Enable corepack; prep yarn if yarn.lock present
- Make Node/Rust/Go builds best-effort (won't fail the job)
- Use tar.gz instead of zip to avoid zip dependency
- Keep scanning entire dist-pr directory with --scan-archive=yes
@riatzukiza
ci: add Bun (bun.lockb) support to PR build (Ubuntu)
e475ff6 
- Detect bun.lockb and use oven-sh/setup-bun@v1
- Run `bun install` + `bun run build` before packaging
- Keep Node/Rust/Go heuristics as fallback
@riatzukiza
ci: remove third‑party setup actions in PR scan; install Bun/Rust via…
12f01e4 
… shell

- Replace oven-sh/setup-bun with curl installer and PATH export
- Drop pnpm/action-setup; use corepack to activate pnpm/yarn
- Replace dtolnay/rust-toolchain with rustup bootstrap
- Add defaults.run.shell: bash; small permissions tweaks
- Keep Go using first‑party actions/setup-go@v5
- Include schedule in release job guard to avoid skipped runs
@riatzukiza
ci: add minimal smoke workflow (ubuntu/windows/macos) to diagnose sta…
e81d21d 
…rtup failures
@riatzukiza
removeed push action
5c8ddd4
@riatzukiza
yaml error
b5cd1da
@riatzukiza
removed useless smoke test
b0c8760
@riatzukiza
ci: fix scanners (owasp dep-check action pin, clamav DB init, windows…
9616dbc 
… zip contention)

- owasp: use dependency-check/Dependency-Check_Action@1.1.0 and cache DC data
- clamav: install freshclam db before clamscan; package build outputs for PRs; scan release assets
- defender: handle zip handle contention; scan release assets and surface detections
@riatzukiza
ci(owasp,defender): fix dep-check inputs (no 'out'; use format=ALL + …
51243ee 
…args --out); avoid zip handle contention by using unique filename and glob for scan/upload
@riatzukiza
ci(clamav): detect bun/node/rust/go across repo; only run node when n…
f3e76be 
…o bun; stage outputs; extract before clamscan for real file counts
@riatzukiza
ci(defender): avoid Compress-Archive lock by zipping to %RUNNER_TEMP%…
10f3718 
… with bsdtar + retries; then Move-Item into dist-pr
@riatzukiza riatzukiza force-pushed the devops/3415-windows-virus-false-positive branch from b565c49 to 7fec270 Compare October 31, 2025 13:36
@github-actions github-actions bot force-pushed the dev branch 3 times, most recently from f1dc981 to 3e15a39 Compare November 22, 2025 18:07
@github-actions github-actions bot force-pushed the dev branch 3 times, most recently from f8ee907 to 6a9856d Compare November 27, 2025 01:29
@thdxr thdxr force-pushed the dev branch 3 times, most recently from f1ae801 to 08fa7f7 Compare January 30, 2026 14:37
@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

Closing this pull request because it has had no updates for more than 60 days. If you plan to continue working on it, feel free to reopen or open a new PR.

@github-actions github-actions bot closed this Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@riatzukiza @thdxr @rekram1-node @timoclsn

Comments