Pipeline Orchestration
Palyra’s automation is divided into three primary functional domains: Quality (CI), Security (Gates), and Distribution (Release). These pipelines ensure that every commit to the monorepo maintains structural integrity, adheres to security policies, and can be packaged into portable artifacts for various operating systems.CI/CD Workflow Overview
The CI system is designed to validate the Rust workspace, the React-based web dashboard, and the Tauri desktop applications across Linux, macOS, and Windows.| Workflow | Purpose | Key Tools |
|---|---|---|
ci.yml | Core validation, linting, and testing. | cargo, clippy, rustfmt, vp |
security.yml | Supply chain audit and secret scanning. | cargo-deny, osv-scanner, gitleaks |
release.yml | Packaging, versioning, and distribution. | tauri-build, powershell, gh-cli |
codeql.yml | Static analysis and vulnerability scanning. | CodeQL |
CI Pipeline and Quality Gates
The CI pipeline enforces strict quality standards before any code is merged into themain branch. This includes multi-platform builds, module budget enforcement, and a specialized CLI parity matrix to ensure command-line consistency.
- Multi-Platform Matrix: Builds and tests are executed on
ubuntu-latest,macos-latest, andwindows-latest.github/workflows/ci.yml#18-23. - Quality Gates: Includes
rustfmtchecks,clippylints (denying warnings), andvp checkfor the frontend applications .github/workflows/ci.yml#212-217. - Deterministic Core: A dedicated suite for testing the daemon’s core logic under deterministic conditions .github/workflows/ci.yml#89-122.
- CLI Parity: Validates the CLI against a parity matrix to ensure feature alignment across different environments .github/workflows/ci.yml#218-241.
Security Gates and Supply Chain
Palyra implements a “Shift Left” security strategy, integrating automated vulnerability scanning and secret detection directly into the development workflow.Security Architecture Relationship
The following diagram illustrates how security tools interface with the codebase entities:- Supply Chain: Uses
cargo-denyandosv-scannerto detect vulnerable dependencies in the Rust workspace .github/workflows/security.yml#98-104. - Secret Scanning:
gitleaksscans the repository history for accidentally committed credentials .github/workflows/security.yml#120-124. - SBOM: Generates Software Bill of Materials using
cargo-cyclonedxfor every release .github/workflows/security.yml#131-145.
Release Packaging and Distribution
The release process automates the creation of portable bundles for the daemon (palyrad), the browser automation service (palyra-browserd), and the desktop application.
Release Artifact Pipeline
This diagram shows the flow from source components to the final release assets:- Version Coherence: A PowerShell script
assert-version-coherence.ps1ensures that all crate versions match the release tag .github/workflows/release.yml#45-50. - Portable Bundles: Creates standalone archives containing the daemon, CLI, and web dashboard for headless or portable usage .github/workflows/release.yml#120-170.
- Attestation: Generates build provenance and attestations to verify the integrity of the distributed binaries .github/workflows/release.yml#21-22.
Infrastructure and Tooling
The project maintains custom GitHub Actions to ensure reproducible build environments.- Setup Rust Toolchain: A composite action that installs a pinned Rust version (currently
1.91.0) with retries for network resilience .github/actions/setup-rust-toolchain/action.yml#1-20. - System Dependencies: Linux runners are configured with necessary GTK and WebKit libraries to support Tauri builds .github/workflows/ci.yml#70-80.
- Static Analysis: CodeQL is configured to scan Rust and TypeScript paths while ignoring third-party vendored code .github/codeql/codeql-config.yml#1-5.