CI Pipeline and Quality Gates

The Palyra CI/CD infrastructure is designed to enforce strict security, stability, and quality standards across a polyglot monorepo containing Rust, TypeScript/React, and Tauri components. The pipeline leverages GitHub Actions to execute a multi-layered validation strategy, ranging from basic linting to complex deterministic regression suites and supply-chain security audits.

CI Pipeline Overview

The primary CI entry point is ci.yml, which orchestrates building, testing, and quality enforcement across Windows, macOS, and Linux.

Multi-OS Build and Test Matrix

The build-and-test job utilizes a strategy matrix to ensure cross-platform compatibility for the core daemon and CLI .github/workflows/ci.yml#17-23. It performs the following sequence:

Environment Setup: Installs the pinned Rust toolchain (1.91.0) with rustfmt and clippy .github/workflows/ci.yml#28-32.
Web/Desktop UI Preparation: Uses the setup-vp-safe action to install Node.js dependencies and builds the desktop UI via ensure-desktop-ui.ps1 .github/workflows/ci.yml#34-43.
Workspace Validation: Executes cargo build --workspace --locked and cargo test --workspace --locked to verify the integrity of all Rust crates .github/workflows/ci.yml#45-49.

Quality Job and Formatting

The quality job acts as the primary gate for code style and repository hygiene .github/workflows/ci.yml#172-174. It enforces several custom guards:

Pinned Actions: check-gh-actions-pinned.sh ensures all GitHub Actions use SHA-1 hashes instead of mutable tags .github/workflows/ci.yml#179-180.
Artifact Hygiene: check-no-vendored-artifacts.sh and check-runtime-artifacts.sh prevent accidental inclusion of binaries or temporary runtime data in the repository .github/workflows/ci.yml#182-187.
Linting: Runs cargo fmt --check and cargo clippy with -D warnings to treat all lints as build failures .github/workflows/ci.yml#207-211.
Web Check: Executes vp check (Vite+) across the web, desktop UI, and browser extension packages .github/workflows/ci.yml#204-205.

CI Pipeline Flow

The following diagram illustrates the parallel execution of jobs in the CI pipeline. Palyra CI Job Orchestration Sources: .github/workflows/ci.yml#1-236, scripts/run-pre-push-checks.sh#41-102

Security Gates and Static Analysis

Security is enforced through a dedicated security.yml workflow and GitHub’s CodeQL analysis.

Supply Chain Auditing

The security-gates job performs deep scans of the dependency tree .github/workflows/security.yml#11-13:

Rust Audits: Uses cargo audit to check for CVEs in Cargo.lock and cargo deny to enforce license compliance and ban specific crates .github/workflows/security.yml#95-99.
JavaScript Audits: Runs npm audit with a custom allowlist mechanism (validate-npm-audit-dev-allowlist.mjs) that permits high-severity vulnerabilities only in devDependencies if they are non-exploitable in the final bundle .github/workflows/security.yml#30-64.
OSV Scanner: Uses Google’s osv-scanner to cross-reference dependencies against the Open Source Vulnerabilities database .github/workflows/security.yml#101-105.

Static Analysis and Secret Scanning

CodeQL: Scans actions, javascript-typescript, and rust languages. It uses a custom configuration (codeql-config.yml) and runs in build-mode: none for lightweight execution .github/workflows/codeql.yml#18-45.
Gitleaks: Scans the entire repository history for secrets, using a SARIF report format for integration with GitHub’s security tab .github/workflows/security.yml#120-124.
Pattern Scanning: check-high-risk-patterns.sh looks for dangerous coding patterns (e.g., unsafe Rust blocks or hardcoded credentials) .github/workflows/security.yml#128-129.

Security Analysis Data Flow Sources: .github/workflows/security.yml#1-156, .github/workflows/codeql.yml#1-48, .github/codeql/codeql-config.yml#1-5

Protocol and CLI Validation

To maintain the contract between the Rust daemon and various clients (CLI, Web UI, Desktop), the CI pipeline enforces protocol stub consistency.

Protocol Stub Validation

The pipeline ensures that generated code stubs for Rust, Kotlin, and Swift match the Protobuf definitions. This is checked during pre-push and within specific CI jobs to prevent “drift” between the daemon’s API and its clients scripts/run-pre-push-checks.sh#95-98.

CLI Parity Acceptance

The cli-parity job ensures that the CLI remains consistent across versions:

Parity Report: Generates a markdown matrix using the render_cli_parity_report example within palyra-cli .github/workflows/ci.yml#225-227.
Snapshot Testing: Compares current CLI help output against stored snapshots via help_snapshots tests .github/workflows/ci.yml#228-230.

Local Development: Pre-push Hooks

Developers are encouraged to run scripts/run-pre-push-checks.sh before pushing to the remote. This script supports two profiles:

fast: Runs formatting, hygiene guards, and the deterministic-core smoke suite scripts/run-pre-push-checks.sh#49-69.
full: Adds clippy, full workspace tests, protocol validation, and the workflow-regression matrix scripts/run-pre-push-checks.sh#71-102.

The script uses a trap to ensure that any runtime artifacts generated during local testing (like SQLite databases or temporary logs) are cleaned up regardless of success or failure scripts/run-pre-push-checks.sh#104.

Check Type	Script / Command	Profile
Formatting	`cargo fmt --all --check`	Fast/Full
Linting	`cargo clippy --workspace --all-targets`	Full
Hygiene	`scripts/check-runtime-artifacts.sh`	Fast/Full
Logic	`scripts/test/run-deterministic-core.sh`	Fast/Full
Protocol	`scripts/protocol/validate-proto.sh`	Full
Regression	`scripts/test/run-workflow-regression.sh`	Full

Sources: scripts/run-pre-push-checks.sh#1-123, .github/workflows/ci.yml#213-231, scripts/check-local-only-tracked-files.sh#1-24

​CI Pipeline Overview

​Multi-OS Build and Test Matrix

​Quality Job and Formatting

​CI Pipeline Flow

​Security Gates and Static Analysis

​Supply Chain Auditing

​Static Analysis and Secret Scanning

​Protocol and CLI Validation

​Protocol Stub Validation

​CLI Parity Acceptance

​Local Development: Pre-push Hooks