System Overview
The Palyra CI/CD environment is divided into three primary functional areas: continuous integration (validation), security scanning (gates), and release engineering (distribution).CI/CD Logic & Code Association
The following diagram maps the high-level CI/CD concepts to the specific scripts and workflow files that implement them. CI/CD Pipeline Mapping Sources: .github/workflows/ci.yml#1-136, .github/workflows/security.yml#1-132, .github/workflows/release.yml#1-170CI Pipeline & Testing Strategy
The CI pipeline ensures code quality across Windows, macOS, and Linux. It utilizes a custom toolchain calledvp (Vite+) for managing frontend assets and scripts .github/workflows/ci.yml#34-40. Beyond standard unit tests, the pipeline executes a “Deterministic Core Suite” to ensure agent logic remains stable across runs .github/workflows/ci.yml#120-121.
Key components include:
- Cross-Platform Builds: Validating the workspace on
ubuntu-latest,macos-latest, andwindows-latest.github/workflows/ci.yml#23. - Workflow Regressions: Running complex agent scenarios to detect logic drifts .github/workflows/ci.yml#135-136.
- CLI Parity: Validating that the CLI command tree matches the expected help snapshots and documentation .github/workflows/ci.yml#213-230.
Security Gates & Supply Chain
Security is enforced through automated scanning of both the Rust and Node.js ecosystems. The system usescargo-audit and cargo-deny for Rust dependencies .github/workflows/security.yml#95-99 and a specialized npm audit allowlist validator for the web dashboard .github/workflows/security.yml#56-63.
The security architecture includes:
- Secret Scanning: Utilizing
gitleaksto prevent credential leakage .github/workflows/security.yml#120-123. - Vulnerability Tracking: Integrating
osv-scannerfor comprehensive vulnerability lookups .github/workflows/security.yml#101-104. - SBOM Generation: Producing CycloneDX Software Bill of Materials for every release .github/workflows/security.yml#131-132.
- CodeQL: Static analysis for Rust, JavaScript/TypeScript, and GitHub Actions .github/workflows/codeql.yml#19-25.
Release Engineering & Portable Bundles
Palyra is distributed as “portable bundles” for both Desktop and Headless environments. The release process is governed by strict version coherence checks .github/workflows/release.yml#45-49 and a “Release Smoke” suite that installs and validates the actual packaged artifacts .github/workflows/release.yml#243-244. Release Packaging Structure Sources: scripts/release/package-portable.ps1#65-94, scripts/release/validate-portable-archive.ps1#29-33 The release engineering stack features:- Bundle Composition: Colocating the gRPC services (
palyrad,palyra-browserd), the CLI (palyra), and the Web UI .scripts/release/package-portable.ps1#87-94. - Installation Lifecycle: Scripts for automated install, update, and uninstall validation on the target host scripts/release/install-headless-package.ps1#58-72.
- Provenance: Generating SHA256 manifests and GitHub build attestations for artifact integrity .github/workflows/release.yml#21-22.
Sources: .github/workflows/ci.yml, .github/workflows/security.yml, .github/workflows/release.yml, scripts/release/package-portable.ps1, scripts/release/install-headless-package.ps1, scripts/release/validate-portable-archive.ps1