Release Workflow Architecture
The release process is orchestrated via GitHub Actions and a suite of PowerShell scripts that manage cross-platform consistency. It follows a “Build -> Package -> Validate -> Attest” pipeline.High-Level Data Flow
This diagram illustrates the transition from raw build artifacts to a signed, validated release package. “Release Packaging Pipeline” Sources: .github/workflows/release.yml#120-210, scripts/release/package-portable.ps1#23-95, scripts/release/validate-portable-archive.ps1#28-122Version Coherence & Metadata
Before packaging, the system enforces version coherence across all workspace members. Theprepare-release job derives metadata and ensures the repository version matches the requested release tag .github/workflows/release.yml#30-65.
Key Release Artifacts
| Artifact | Description | Contents |
|---|---|---|
| Desktop Bundle | Portable GUI package | palyra-desktop-control-center, sidecars, web assets, docs. |
| Headless Package | Server-side package | palyrad, palyra, palyra-browserd, web assets, docs. |
| Release Manifest | release-manifest.json | Metadata: artifact_kind, version, platform, sha256 of binaries. |
| Checksums | checksums.txt | Canonical SHA256 hashes for every file in the archive. |
Portable Packaging Implementation
The scriptpackage-portable.ps1 is responsible for assembling the payload. It colocates the core binaries with the web/ dashboard distribution and the embedded operator documentation scripts/release/package-portable.ps1#84-95.
Binary Colocation Logic
The release assumes a specific directory structure for runtime discovery:- Binaries:
palyra,palyrad, andpalyra-browserdreside in the root scripts/release/package-portable.ps1#87-89. - Web Assets: The dashboard is placed in a
web/subdirectory scripts/release/package-portable.ps1#92. - Docs: Operator docs and help snapshots are placed in
docs/anddocs/help_snapshots/scripts/release/package-portable.ps1#93-94.
Validation & Security Gates
Palyra employs multi-layered validation to prevent the distribution of malformed or insecure artifacts.1. Archive Integrity Validation
Thevalidate-portable-archive.ps1 script performs:
- Manifest Verification: Checks
release-manifest.jsonagainst expectedartifact_kindscripts/release/validate-portable-archive.ps1#35-37. - Integrity Check: Re-calculates SHA256 hashes for every file and compares them to
checksums.txtscripts/release/validate-portable-archive.ps1#94-111. - Hygiene Check: Ensures no forbidden runtime artifacts (e.g.,
.sqlite,.log,node_modules) are accidentally included scripts/release/validate-portable-archive.ps1#59-92.
2. Supply Chain Security
Release engineering includes extensive supply-chain scanning:- SBOM Generation:
cargo cyclonedxgenerates a Software Bill of Materials in JSON format .github/workflows/security.yml#131-145. - Audit Gates:
cargo audit,cargo deny, andosv-scannercheck for vulnerable dependencies .github/workflows/security.yml#95-105. - Secret Scanning:
gitleaksscans the source and history for leaked credentials before release .github/workflows/security.yml#120-124.
Release Smoke Testing
Therun-release-smoke.ps1 script performs a full lifecycle simulation. It builds, packages, installs, and validates the release artifacts in a clean-room environment.
“Release Smoke Test Flow”
Sources: scripts/test/run-release-smoke.ps1#152-190, scripts/release/install-headless-package.ps1#58-72
Provenance & Attestation
Palyra generates verifiable attestations to link the final binaries back to the specific GitHub Actions workflow run.- GitHub Build Attestations: Uses
actions/attest-build-provenanceto sign the artifacts with the repository’s identity .github/workflows/release.yml#21-22. - SLSA Provenance: Generates non-forgeable provenance for all release assets, allowing users to verify that the binary was built in a secure, isolated environment.