Skip to main content
The Palyra project utilizes a comprehensive automation suite centered around GitHub Actions to ensure code quality, security, and cross-platform distribution. The pipeline covers the entire lifecycle from local development hooks to the generation of signed, attested release bundles for Desktop and Headless environments.

CI Workflows and Quality Gates

The primary Continuous Integration (CI) pipeline enforces strict quality gates across the Rust and TypeScript codebases. It utilizes a build-and-test matrix to ensure compatibility across ubuntu-latest, macos-latest, and windows-latest .github/workflows/ci.yml#17-23. Key verification steps include: For details, see CI Workflows and Quality Gates. Sources: .github/workflows/ci.yml#1-236

Security Gates and Supply Chain

Palyra implements a “Security Gates” workflow that scans for vulnerabilities in the supply chain and prevents the accidental exposure of secrets. This workflow is integrated into the PR process and periodic scheduled scans.
ToolPurpose
npm auditScans JavaScript dependencies with a custom dev-only allowlist .github/workflows/security.yml#30-64.
cargo audit / denyChecks Rust crates for known vulnerabilities and license compliance .github/workflows/security.yml#95-99.
osv-scannerGoogle’s Open Source Vulnerabilities scanner for lockfile analysis .github/workflows/security.yml#101-105.
gitleaksDetects hardcoded secrets in the repository history .github/workflows/security.yml#120-124.
CodeQLStatic analysis for high-risk patterns in Rust and TypeScript .github/workflows/codeql.yml#1-48.
The pipeline also generates a CycloneDX SBOM (Software Bill of Materials) and prepares for SLSA provenance attestation .github/workflows/security.yml#131-148. For details, see Security Gates and Supply Chain. Sources: .github/workflows/security.yml#1-156, .github/workflows/codeql.yml#1-48

Release Packaging and Distribution

The release engineering process transforms the monorepo source into portable, platform-specific archives. Packaging is handled by PowerShell scripts that bundle the core palyrad daemon, palyra-browserd automation service, the palyra CLI, and the pre-built web dashboard .github/workflows/release.yml#84-85.

Distribution Flow

Sources: scripts/release/package-portable.ps1#1-148, scripts/release/common.ps1#1-200 The release workflow validates version coherence across all crates before generating artifacts .github/workflows/release.yml#45. It also produces detailed migration and release notes .github/workflows/release.yml#81-106. For details, see Release Packaging and Distribution. Sources: .github/workflows/release.yml#1-169, scripts/release/package-portable.ps1#1-170

Testing Strategy: Deterministic, Fuzz, and Regression

Palyra employs a multi-tiered testing strategy that moves beyond simple unit tests to ensure system-level reliability.
  • Deterministic Core: A suite designed to verify the core logic of the daemon and state machine under reproducible conditions .github/workflows/ci.yml#89-122.
  • Workflow Regression: Matrix-based testing of common agent workflows to prevent regressions in tool calling or session compaction .github/workflows/ci.yml#123-137.
  • Release Smoke Tests: Before any release is finalized, the run-release-smoke.ps1 script performs a full installation and execution test of the packaged archives, verifying commands like palyra setup, palyra doctor, and palyra docs scripts/test/run-release-smoke.ps1#40-108.
  • Offline Documentation: The palyra docs command allows operators to search and view bundled markdown documentation (like migration-notes.md) directly from the CLI crates/palyra-cli/src/commands/docs.rs#74-85.

Release Validation Logic

Sources: scripts/test/run-release-smoke.ps1#40-108, scripts/release/validate-portable-archive.ps1#29-92 For details, see Testing Strategy: Deterministic, Fuzz, and Regression. Sources: .github/workflows/ci.yml#89-171, scripts/test/run-release-smoke.ps1#1-180, crates/palyra-cli/src/commands/docs.rs#11-85

Child Pages