Exclude test directories from Windows Defender to speed up Windows CI#385
Exclude test directories from Windows Defender to speed up Windows CI#385imnasnainaec wants to merge 2 commits into
Conversation
Addresses review feedback on #385: - Step now runs immediately after Build so all test steps benefit - ExclusionPath narrowed from $env:TEMP to $env:GITHUB_WORKSPACE; hg.exe process exclusion already covers scanning overhead on temp dirs where test repos are created Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
This strikes me as a good idea; certainly scanning and re-scanning hg.exe is a waste of time. It's slow enough to start up as it is, and Chorus calls |
|
comparing the |
Problem
The LibChorus test suite spawns approximately 1,822
hg.exeprocesses during a full Windows CI run. Each process invocation takes roughly 1.9 seconds, a non-trivial portion of which is Windows Defender AV scanning the Mercurial binary and the temporary test repository directories it touches.This contributes an estimated 57 minutes of overhead (1,822 × 1.9 s) to the Windows job.Change
Adds a new step immediately before "Test LibChorus" that registers two non-destructive AV exclusions using
Add-MpPreference:$env:TEMP— covers theC:\Users\runneradmin\AppData\Local\Temp\ChorusTest-*directories where test repos are created and destroyed at high frequency.hg.exe(process name) — tells Defender to skip on-access scanning of the Mercurial binary itself on every invocation.The step is gated with
if: runner.os == 'Windows'so it is a no-op on Linux/macOS runners.Add-MpPreferenceadds to the exclusion list rather than disabling Defender globally, keeping the runner secure.Expected Impact
AV scanning is typically 50–70% of the per-process overhead for short-lived executables on GitHub-hosted Windows runners. Excluding the temp directory and the
hg.exeprocess should bring each invocation meaningfully closer to bare execution time, potentially reducing the Windows CI wall-clock time by 30–50 minutes.Devin review
https://app.devin.ai/review/sillsdev/chorus/pull/385
Security trade-off of disabling AV scanning in CI
The step disables Windows Defender real-time scanning for the entire
$env:GITHUB_WORKSPACEdirectory and thehg.exeprocess. While this is a common pattern to speed up CI builds and reduce flaky test failures caused by file-locking from AV scanning, it does mean that any malicious code introduced via dependencies or supply-chain attacks during the test phase would not be caught by Defender. This is generally acceptable for CI environments since GitHub-hosted runners are ephemeral, but worth noting for security-conscious teams.This change is