Release Workflow Overview
The release process is driven by therelease.yml GitHub Actions workflow. It follows a strict sequence of validation, compilation, packaging, and attestation.
1. Version Coherence Assertion
Before any artifacts are built, the workflow executesscripts/release/assert-version-coherence.ps1 to ensure that the version defined in the repository (across 18+ Rust crates and frontend packages) is consistent and matches the git tag being released .github/workflows/release.yml#41-64.
2. Multi-Platform Build Matrix
Palyra targets three primary operating systems:- Ubuntu (Linux): Produces headless packages and regression-test desktop bundles
.github/workflows/release.yml#127. - Windows: Produces portable desktop bundles and headless packages
.github/workflows/release.yml#127. - macOS: Produces portable desktop bundles and headless packages
.github/workflows/release.yml#127.
3. Artifact Compilation
The workflow builds four core binaries in--release mode:
palyra-daemon(palyrad): The central execution engine.github/workflows/release.yml#168.palyra-browserd: The browser automation sidecar.github/workflows/release.yml#168.palyra-cli(palyra): The operator interface.github/workflows/release.yml#168.apps/desktop: The Tauri-based control center (desktop-only).github/workflows/release.yml#169.
4. Release Engineering Data Flow
The following diagram illustrates how source components are transformed into final portable packages. Package Assembly Data Flow Sources:scripts/release/package-portable.ps1:28-95, scripts/release/validate-portable-archive.ps1:29-57, .github/workflows/release.yml:168-175
Portable Package Structures
Palyra distributes two types of portable packages viascripts/release/package-portable.ps1. Both types are designed to be “unzip and run,” requiring no global system installation.
Desktop Portable Bundle
Designed for end-user workstations. It includes the graphical supervisor and all necessary sidecars.- Payload Contents:
palyra-desktop-control-center,palyrad,palyra-browserd,palyra,web/dashboard, anddocs/scripts/release/package-portable.ps1:84-94. - Upgrade Path: Archive replacement. Users stop the app, replace the binaries, and restart. State is preserved in the platform-specific
state_rootscripts/release/package-portable.ps1:111-114.
Headless Portable Package
Designed for servers or remote nodes.- Payload Contents:
palyrad,palyra-browserd,palyra,web/dashboard, anddocs/scripts/release/package-portable.ps1:87-94. - System Integration: Includes a generated
palyrad.serviceunit for systemd integration on Linuxscripts/release/install-headless-package.ps1:88-112. - Upgrade Path: Requires running
palyra config migrateafter binary replacement to ensure configuration compatibilityscripts/release/package-portable.ps1:137-142.
Release Manifest & Security Sidecars
Every release includes arelease-manifest.json and a checksums.txt file inside the archive to ensure integrity and provide machine-readable metadata.
Release Manifest Schema
The manifest is generated bypackage-portable.ps1 and contains:
artifact_kind: Eitherdesktoporheadlessscripts/release/package-portable.ps1:28-33.version: The semver string of the releasescripts/release/package-portable.ps1:24.platform: The platform slug (e.g.,linux-x64,macos-arm64)scripts/release/package-portable.ps1:25.binaries: A list of included executables with their individual SHA256 hashes and sizesscripts/release/package-portable.ps1:63-81.
Supply Chain Security Gates
The release workflow integrates several security layers before publication:- Artifact Attestation: Uses GitHub’s
actions/attest-build-provenanceto create a cryptographically signed statement of how the artifact was built.github/workflows/release.yml:21-22. - SBOM Generation:
cargo cyclonedxgenerates a Software Bill of Materials in JSON format.github/workflows/security.yml:131-132. - Vulnerability Scanning: Runs
cargo audit,cargo deny, andosv-scannerto check for known vulnerabilities in dependencies.github/workflows/security.yml:95-105. - Secret Scanning:
gitleaksscans the codebase for accidentally committed credentials.github/workflows/security.yml:120-123.
.github/workflows/release.yml:19-23, .github/workflows/security.yml:95-132
Installation and Upgrade Implementation
Installation is handled by dedicated PowerShell scripts that validate the portable archives and set up the local environment.Key Installation Functions
Expand-ZipArchiveSafely: Implements path traversal protection during extraction to prevent “Zip Slip” vulnerabilitiesscripts/release/common.ps1:209-246.Install-PalyraCliExposure: Configures the user’s environment to recognize thepalyracommand, optionally persisting it to the shell profilescripts/release/install-headless-package.ps1:47-51.Validate-Portable-Archive: Checks the extracted content against therelease-manifest.jsonand verifies every file againstchecksums.txtscripts/release/validate-portable-archive.ps1:29-111.
Upgrade and Migration
Upgrades follow a “replace-and-migrate” pattern. Thepalyra config migrate command is essential for headless installations. The ROLLBACK.txt included in every package provides explicit steps for reverting to a previous version, emphasizing that the state_root (containing SQLite databases and logs) should remain untouched during binary swaps scripts/release/package-portable.ps1:150-157.
Sources: scripts/release/common.ps1:209-246, scripts/release/install-headless-package.ps1:40-112, scripts/release/validate-portable-archive.ps1:94-111, scripts/release/package-portable.ps1:150-157