Exclude test directories from Windows Defender to speed up Windows CI#385
Draft
imnasnainaec wants to merge 2 commits into
Draft
Exclude test directories from Windows Defender to speed up Windows CI#385imnasnainaec wants to merge 2 commits into
imnasnainaec wants to merge 2 commits into
Conversation
Addresses review feedback on #385: - Step now runs immediately after Build so all test steps benefit - ExclusionPath narrowed from $env:TEMP to $env:GITHUB_WORKSPACE; hg.exe process exclusion already covers scanning overhead on temp dirs where test repos are created Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The LibChorus test suite spawns approximately 1,822
hg.exeprocesses during a full Windows CI run. Each process invocation takes roughly 1.9 seconds, a non-trivial portion of which is Windows Defender AV scanning the Mercurial binary and the temporary test repository directories it touches.This contributes an estimated 57 minutes of overhead (1,822 × 1.9 s) to the Windows job.Change
Adds a new step immediately before "Test LibChorus" that registers two non-destructive AV exclusions using
Add-MpPreference:$env:TEMP— covers theC:\Users\runneradmin\AppData\Local\Temp\ChorusTest-*directories where test repos are created and destroyed at high frequency.hg.exe(process name) — tells Defender to skip on-access scanning of the Mercurial binary itself on every invocation.The step is gated with
if: runner.os == 'Windows'so it is a no-op on Linux/macOS runners.Add-MpPreferenceadds to the exclusion list rather than disabling Defender globally, keeping the runner secure.Expected Impact
AV scanning is typically 50–70% of the per-process overhead for short-lived executables on GitHub-hosted Windows runners. Excluding the temp directory and the
hg.exeprocess should bring each invocation meaningfully closer to bare execution time, potentially reducing the Windows CI wall-clock time by 30–50 minutes.Devin review
https://app.devin.ai/review/sillsdev/chorus/pull/385
Security trade-off of disabling AV scanning in CI
The step disables Windows Defender real-time scanning for the entire
$env:GITHUB_WORKSPACEdirectory and thehg.exeprocess. While this is a common pattern to speed up CI builds and reduce flaky test failures caused by file-locking from AV scanning, it does mean that any malicious code introduced via dependencies or supply-chain attacks during the test phase would not be caught by Defender. This is generally acceptable for CI environments since GitHub-hosted runners are ephemeral, but worth noting for security-conscious teams.This change is