CI Workflows - Palyra.com

The Palyra CI/CD pipeline is a multi-layered verification system designed to ensure cross-platform compatibility, protocol integrity, and security across the Rust backend, Vite+ frontend, and CLI surfaces. The primary orchestration occurs within GitHub Actions, utilizing a matrix-based approach for Linux, macOS, and Windows.

Primary CI Pipeline (ci.yml)

The main CI workflow .github/workflows/ci.yml:1-11 handles the core build-and-test matrix, quality enforcement, and specialized regression suites.

Build and Test Matrix

The build-and-test job .github/workflows/ci.yml:17-23 executes on ubuntu-latest, macos-latest, and windows-latest. It ensures that the Rust workspace and the desktop UI can be built and tested in a clean environment.

Rust Toolchain: Standardized on version 1.91.0 .github/workflows/ci.yml:31-31.
Vite+ (vp): Frontend assets for the desktop and web apps are prepared using the setup-vp-safe action .github/workflows/ci.yml:35-40.
Desktop UI Build: Executed via scripts/test/ensure-desktop-ui.ps1 .github/workflows/ci.yml:43-43 before the main Cargo build to ensure embedded assets are available.

Quality and Linting

The quality job .github/workflows/ci.yml:172-174 enforces project standards through several automated guards:

Vite+ Check: Runs vp check on apps/web, apps/desktop/ui, and apps/browser-extension .github/workflows/ci.yml:205-205.
Rustfmt & Clippy: Enforces global formatting and denies warnings .github/workflows/ci.yml:208-211.
Repository Hygiene:
- check-gh-actions-pinned.sh: Ensures all GitHub Actions use SHA pinning for security .github/workflows/ci.yml:180-180.
- check-no-vendored-artifacts.sh: Prevents accidental inclusion of binary blobs .github/workflows/ci.yml:183-183.
- check-runtime-artifacts.sh: Validates that generated runtime files (like DB migrations or proto stubs) are up to date .github/workflows/ci.yml:186-186.

CLI Parity Acceptance

The cli-parity job .github/workflows/cli-parity:213-214 ensures that the CLI remains consistent with its documented capabilities. It runs a specialized example render_cli_parity_report .github/workflows/ci.yml:226-226 which compares the current CLI implementation against the cli_parity_matrix.toml definition. Sources: .github/workflows/ci.yml:1-236, scripts/test/ensure-desktop-ui.ps1:1-10

Specialized Test Suites

Beyond standard unit tests, the CI pipeline runs several high-assurance suites to validate complex system behaviors.

Deterministic Core Suite

The deterministic-core job .github/workflows/ci.yml:89-90 runs tests that must produce identical results regardless of the execution environment. This includes:

Session Compaction: Validating that session_compaction_apply_persists_durable_writes correctly merges state .github/workflows/ci.yml:121-121.
Discord Gateway: Stability of reconnect/resume cycles under soak scripts/test/run-deterministic-soak.sh:37-37.
Dead Letter Recovery: Ensuring queue accounting remains stable scripts/test/run-deterministic-soak.sh:38-38.

Workflow Regression Matrix

This suite .github/workflows/ci.yml:123-124 targets end-to-end flows within the palyra-cli and palyra-daemon. It specifically tests the wizard_cli and the cli_v1_acp_shim scripts/test/run-workflow-regression.sh:48-49 to ensure the Agent Control Protocol (ACP) bridge remains functional.

Performance Smoke

The performance-smoke job .github/workflows/ci.yml:138-139 executes scripts/test/run-performance-smoke.sh .github/workflows/ci.yml:170-170. This job establishes a baseline for resource consumption during standard daemon operations like run orchestration and memory indexing. Sources: .github/workflows/ci.yml:89-171, scripts/test/run-workflow-regression.sh:1-51, scripts/test/run-deterministic-soak.sh:1-41

Security Gates (security.yml)

The security-gates workflow .github/workflows/security.yml:1-13 acts as a mandatory audit layer for the supply chain and secret management.

Supply Chain Auditing

Palyra uses multiple scanners to detect vulnerable dependencies:

cargo-audit: Scans Rust dependencies for security advisories .github/workflows/security.yml:95-96.
cargo-deny: Checks for unauthorized licenses and duplicate crate versions .github/workflows/security.yml:98-99.
OSV-Scanner: Uses Google’s Open Source Vulnerabilities database .github/workflows/security.yml:101-104.
npm audit: Validates the @palyra/web workspace, using a specialized npm-audit-dev-allowlist.json to manage development-only advisories .github/workflows/security.yml:30-63.

Secret and Pattern Scanning

Gitleaks: Scans the entire repository history for leaked credentials .github/workflows/security.yml:120-123.
High-Risk Patterns: check-high-risk-patterns.sh searches for dangerous code patterns (e.g., insecure crypto primitives or unsafe FFI) .github/workflows/security.yml:128-129.

SBOM Generation

The pipeline generates a Software Bill of Materials (SBOM) in CycloneDX JSON format .github/workflows/security.yml:131-132, which is collected as a security artifact for every run. Sources: .github/workflows/security.yml:1-156

Data Flow: From Code to Release Attestation

The following diagram illustrates how code changes flow through the CI verification layers into the release packaging system.

CI/CD Verification Flow

Sources: .github/workflows/ci.yml:1-10, .github/workflows/security.yml:1-10, .github/workflows/release.yml:1-20

CLI Install Smoke Testing

A specialized workflow cli-install-smoke.yml .github/workflows/cli-install-smoke.yml:1-21 validates the actual installation experience. Unlike standard unit tests, this suite operates on the final compiled binaries.

Smoke Test Logic

The script scripts/test/run-cli-install-smoke.ps1 [ scripts/test/run-cli-install-smoke.ps1:1-46 ] creates a isolated ScenarioContext [ scripts/test/run-cli-install-smoke.ps1:41-83 ] with its own config, state root, and vault directory. Key commands validated in the smoke test:

Setup Wizard: palyra setup --wizard --non-interactive [ crates/palyra-cli/tests/installed_smoke.rs:167-194 ].
Diagnostics: palyra doctor --json [ crates/palyra-cli/tests/installed_smoke.rs:72-75 ].
Lifecycle: palyra update --dry-run and palyra uninstall --dry-run [ crates/palyra-cli/tests/installed_smoke.rs:102-145 ].

Code-to-Test Mapping

The following diagram maps the CI test entities to the CLI commands they validate. Sources: crates/palyra-cli/tests/installed_smoke.rs:38-205, scripts/test/run-cli-install-smoke.ps1:1-101

CI Configuration Summary

Feature	Workflow File	Implementation
Cross-Platform	`ci.yml`	Matrix: `ubuntu`, `macos`, `windows` `.github/workflows/ci.yml:23-23`
Rust Version	`ci.yml`	`1.91.0` `.github/workflows/ci.yml:31-31`
Frontend Tooling	`ci.yml`	`vp check` via Vite+ `.github/workflows/ci.yml:205-205`
Security Scanning	`security.yml`	`gitleaks`, `osv-scanner`, `cargo-deny` `.github/workflows/security.yml:95-123`
Static Analysis	`codeql.yml`	CodeQL for Rust and JS/TS `.github/workflows/codeql.yml:25-25`
Dependency Review	`dependency-review.yml`	GitHub Dependency Review Action `.github/workflows/dependency-review.yml:29-29`

Sources: .github/workflows/ci.yml:1-236, .github/workflows/security.yml:1-156, .github/workflows/codeql.yml:1-48

​Primary CI Pipeline (ci.yml)

​Build and Test Matrix

​Quality and Linting

​CLI Parity Acceptance

​Specialized Test Suites

​Deterministic Core Suite

​Workflow Regression Matrix

​Performance Smoke

​Security Gates (security.yml)

​Supply Chain Auditing

​Secret and Pattern Scanning

​SBOM Generation

​Data Flow: From Code to Release Attestation

​CI/CD Verification Flow

​CLI Install Smoke Testing

​Smoke Test Logic

​Code-to-Test Mapping

​CI Configuration Summary