Add Microsoft Defender scan job to release workflow

[Copilot]

Windows release binaries need antivirus validation before shipping. Adds a defender job that gates sync_actions on a clean Defender scan of the Windows binaries produced by push_tag.

Changes

• New defender job (windows-latest, needs push_tag):

  • Resolves MpCmdRun.exe path dynamically with ProgramFiles(x86) fallback
  • Updates Defender signatures using the resolved path
  • Logs full Defender diagnostic info (status, preferences, service state, signature version) before scanning
  • For each windows-*.exe binary:
    • Stabilizes the file to avoid transient build/link races
    • Copies to a temp directory outside GITHUB_WORKSPACE before scanning
    • Validates hash integrity of the copied file
    • Scans with -Scan -ScanType 3 -File -DisableRemediation
    • Parses MpCmdRun output to detect skipped/excluded scans and threat indicators (not just exit code)
  • Fails if any binary fails stabilization, copy, hash check, or scan

• sync_actions now lists defender in its needs, blocking the manual approval gate until the scan passes

[pelikhan]

@copilot make recompile

[Copilot]

@copilot make recompile

Done — release.lock.yml has been regenerated with the defender job included (commit Recompile workflows: regenerate release.lock.yml with defender job).

[Copilot]

Pull request overview

Adds a Microsoft Defender antivirus scan job to the release workflow that gates sync_actions on a clean scan of the Windows release binaries produced by push_tag.

Changes:

• New defender job on windows-latest that downloads the release binaries, updates Defender signatures, and runs a custom scan on windows-*.exe.
• sync_actions (and the generated conclusion job) now depend on defender.
• Regenerated release.lock.yml with updated frontmatter hash and prompt/config heredoc tokens.

Show a summary per file

File	Description
.github/workflows/release.md	Adds the defender job and inserts it into sync_actions's needs.
.github/workflows/release.lock.yml	Regenerated compiled workflow reflecting the new job and dependency edges.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

@copilot review all comments and summarize the remaining blockers for this PR.
pr-sous-chef run: https://github.com/github/gh-aw/actions/runs/26583599251

Generated by 👨‍🍳 PR Sous Chef · gpt54 3.6M · ◷

[pelikhan]

@copilot merge main, reuse script in https://github.com/github/gh-aw/pull/35494/changes#diff-08b5a29e2592fd426534bc3ad60f60e3cb72fa2d6730530dc6a6284a12bd7438L1632 to run defender and recompile

[Copilot]

@copilot merge main, reuse script in https://github.com/github/gh-aw/pull/35494/changes#diff-08b5a29e2592fd426534bc3ad60f60e3cb72fa2d6730530dc6a6284a12bd7438L1632 to run defender and recompile

Done — merged main and replaced the simpler defender steps with the hardened script from PR #35494, adapted for multiple Windows binaries. The updated defender job now:

• Resolves MpCmdRun.exe path dynamically (with ProgramFiles(x86) fallback)
• Updates signatures using the resolved path
• Logs full Defender diagnostic info (status, preferences, service state)
• For each windows-*.exe: stabilizes the file, copies it to a temp dir outside GITHUB_WORKSPACE, validates hash integrity, and scans with -DisableRemediation
• Parses MpCmdRun output to catch skipped/excluded scans and threat indicators (not just exit code)

release.lock.yml has been recompiled (commit Update defender job: reuse hardened script from cgo.yml (PR #35494), recompile).