Skip to main content
This section provides an overview of the Palyra automation suite, which ensures code quality, supply chain security, and reproducible release distribution across Linux, macOS, and Windows. The pipeline is built primarily on GitHub Actions and a suite of specialized PowerShell and Bash scripts designed for cross-platform consistency. The automation strategy is divided into three primary pillars:
  1. Continuous Integration (CI): Multi-platform build and test matrices.
  2. Security Gates: Deep supply chain analysis and static secret scanning.
  3. Release Engineering: Packaging of portable desktop and headless bundles with build provenance.

Pipeline Orchestration Overview

The following diagram illustrates how code changes flow through the automated gates from pull request to final release artifact. Workflow Integration Map Sources: .github/workflows/ci.yml#1-16, .github/workflows/security.yml#1-11, .github/workflows/release.yml#1-29, .github/workflows/codeql.yml#1-18

Continuous Integration Pipeline

The CI pipeline enforces a strict “no-regression” policy across the supported platform matrix. It pins the Rust toolchain to version 1.91.0 [.github/workflows/ci.yml#31-31] and utilizes a specialized Vite+ setup for web components [.github/workflows/ci.yml#35-39]. Key quality jobs include:
  • Multi-Platform Matrix: Concurrent builds on ubuntu-latest, macos-latest, and windows-latest [.github/workflows/ci.yml#18-23].
  • Artifact Hygiene: Scripts like check-no-vendored-artifacts.sh and check-runtime-artifacts.sh prevent accidental commits of binary blobs or local database files [.github/workflows/ci.yml#182-186].
  • CLI Parity: A dedicated job ensures that the palyra CLI maintains feature parity across platforms by generating and validating a parity matrix [.github/workflows/ci.yml#213-230].
For details, see Continuous Integration Pipeline.

Security Gates and Supply Chain

Palyra employs a defense-in-depth approach to the software supply chain. Every change is subjected to multiple scanners to detect vulnerabilities in dependencies and hardcoded secrets. The security workflow incorporates: For details, see Security Gates and Supply Chain.

Release Engineering and Distribution

Release engineering transforms the compiled binaries into distributable “Portable Bundles.” The system distinguishes between a Desktop Portable Bundle (including the Tauri-based Control Center) and a Headless Portable Package (optimized for server/CLI usage) [scripts/release/package-portable.ps1#28-33]. The release process includes:
  • Version Coherence: The assert-version-coherence.ps1 script ensures the repository version matches the release tag [.github/workflows/release.yml#45-45].
  • Automated Packaging: The package-portable.ps1 script assembles binaries, web assets, and documentation into platform-specific ZIP archives [scripts/release/package-portable.ps1#9-16].
  • Archive Validation: Every package is inspected by validate-portable-archive.ps1 to ensure it contains required binaries (e.g., palyrad, palyra-browserd, palyra) and is free of forbidden runtime artifacts like .sqlite or .log files [scripts/release/validate-portable-archive.ps1#47-69].
  • Smoke Testing: A comprehensive run-release-smoke.ps1 script performs a full install/uninstall cycle of the packaged archives to verify CLI exposure and command resolution [scripts/test/run-release-smoke.ps1#40-109].
Release Entity Relationship Sources: scripts/release/package-portable.ps1#28-61, scripts/release/validate-portable-archive.ps1#29-57, scripts/release/common.ps1#33-60 For details, see Release Packaging and Distribution.

Child Pages