Skip to main content
The Palyra CI/CD infrastructure is designed to enforce strict security, quality, and functional parity across its multi-language (Rust/TypeScript) and multi-platform (Linux/macOS/Windows) codebase. The pipeline integrates automated testing, supply chain security scanning, protocol validation, and platform-specific regression suites to ensure that every commit maintains the integrity of the decentralized agent runtime.

Workflow Orchestration

The repository utilizes GitHub Actions for primary CI/CD orchestration, supplemented by a justfile and Makefile for local developer pre-flight checks.

Core Build and Test Matrix

The ci.yml workflow executes a parallel matrix build across ubuntu-latest, macos-latest, and windows-latest .github/workflows/ci.yml#17-23. This job performs a full workspace build and test execution using the pinned Rust toolchain (1.91.0) .github/workflows/ci.yml#31.
StageCommandPurpose
Toolchaindtolnay/rust-toolchain@v1Ensures consistent compilation environments .github/workflows/ci.yml#29.
Vite+ Setup.github/actions/setup-vp-safeBootstraps the Node.js workspace for web/desktop UI .github/workflows/ci.yml#35.
Rust Buildcargo build --workspace --lockedValidates compilation and dependency resolution .github/workflows/ci.yml#46.
Rust Testcargo test --workspace --lockedExecutes unit and integration tests .github/workflows/ci.yml#49.

Quality Gates and Linting

The quality job enforces stylistic and structural consistency .github/workflows/ci.yml#172-212:
  • Action Pinning: scripts/check-gh-actions-pinned.sh ensures all GitHub Actions use full SHA hashes rather than mutable tags .github/workflows/ci.yml#180.
  • Artifact Hygiene: scripts/check-runtime-artifacts.sh and scripts/check-no-vendored-artifacts.sh prevent accidental leakage of build artifacts or unauthorized third-party code into the repository .github/workflows/ci.yml#183-186.
  • Rustfmt & Clippy: Enforces standard Rust formatting and denies all compiler warnings .github/workflows/ci.yml#208-211.
  • Vite+ Check: Validates the TypeScript/React codebases in apps/web and apps/desktop/ui .github/workflows/ci.yml#205.
Sources: .github/workflows/ci.yml#1-212, justfile#1-25, Makefile#1-21

Security Gates and Supply Chain Integrity

The security.yml workflow defines the “Security Gates” that must be passed before merging. It focuses on secret detection, vulnerability scanning, and SBOM generation.

Vulnerability Scanning Pipeline

Palyra employs a multi-layered scanning strategy:
  1. Rust Audit: cargo audit checks Cargo.lock against the RustSec Advisory Database .github/workflows/security.yml#95-96.
  2. Dependency Denial: cargo deny check enforces license compliance and bans specific crates .github/workflows/security.yml#98-99.
  3. OSV Scanning: osv-scanner (Google) provides an additional layer of vulnerability detection across multiple ecosystems .github/workflows/security.yml#101-104.
  4. Secret Detection: gitleaks scans the repository history for accidentally committed credentials or keys .github/workflows/security.yml#120-123.

Web Cleanroom and Audit

For the web dashboard, the CI performs a “cleanroom” build. The validate-npm-audit-dev-allowlist.mjs script allows developers to temporarily ignore high-severity vulnerabilities in dev-only dependencies while strictly blocking any vulnerabilities in the runtime production bundle .github/workflows/security.yml#56-64. CI Security Data Flow Sources: .github/workflows/security.yml#1-156, scripts/validate-npm-audit-dev-allowlist.mjs#1-250, osv-scanner.toml#1-2

Protocol and Parity Validation

Palyra maintains strict contracts between its various components (Daemon, CLI, Web UI, Browser Service).

Protocol Contract Validation

The protocol-validate gate (invoked via just protocol) ensures that Protobuf definitions remain backward compatible and that generated stubs for Rust/TypeScript are in sync with the .proto sources justfile#97-107.

CLI Parity Checks

To ensure the CLI remains the “source of truth” for system operations, the CI runs a parity acceptance suite:

CodeQL Analysis

The codeql.yml workflow runs weekly and on PRs to perform deep static analysis of the Rust and JavaScript/TypeScript codebases, identifying potential security flaws like path injection or memory safety issues .github/workflows/codeql.yml#1-48. Sources: .github/workflows/ci.yml#213-236, justfile#97-107, .github/workflows/codeql.yml#1-48

Specialized Regression Suites

Beyond standard unit tests, the CI executes several specialized suites to validate the complex runtime behavior of the agent system.

Deterministic Core Suite

The deterministic-core job runs the run-deterministic-core.sh script .github/workflows/ci.yml#89-122. This suite uses a mocked time and RNG environment to ensure that the agent’s reasoning and tool-calling flows are reproducible across different CI runs.

Workflow Regression Matrix

The workflow-regression suite validates end-to-end user journeys (e.g., setup → pairing → agent execution) .github/workflows/ci.yml#123-137. This ensures that changes to the GatewayService or PolicyEngine do not break existing automation workflows.

Performance Smoke Tests

The performance-smoke job monitors the resource consumption of the palyrad daemon during high-load scenarios, ensuring that memory leaks or CPU spikes are caught before release .github/workflows/ci.yml#138-171. Testing Architecture Mapping Sources: .github/workflows/ci.yml#89-171, justfile#47-87

Dependency Management (Dependabot)

Palyra uses GitHub Dependabot to maintain up-to-date dependencies with a monthly cadence. Sources: .github/dependabot.yml#1-44, .github/workflows/dependency-review.yml#1-35