Makefile and justfile targets to allow developers to mirror CI checks locally.
Pipeline Architecture Overview
The Palyra CI/CD infrastructure is divided into four primary domains: quality assurance, security/supply chain, release distribution, and fuzzing. These domains are implemented as distinct workflows that coordinate to validate every commit and pull request.System Mapping: CI/CD to Code Entities
The following diagram illustrates how the GitHub Action workflows interact with specific scripts and tools within the repository to enforce system integrity. Workflow and Script Association Sources: .github/workflows/ci.yml#1-10, .github/workflows/security.yml#1-10, .github/workflows/release.yml#1-10, Makefile#126-130, justfile#76-80CI Pipeline and Quality Gates
The CI pipeline (.github/workflows/ci.yml) enforces code style, linting, and functional correctness across a multi-OS matrix (Ubuntu, macOS, Windows) .github/workflows/ci.yml#18-23. Key gates include:- Rust Quality: Execution of
rustfmtandclippywith denied warnings .github/workflows/ci.yml#207-212. - Web Validation: Cleanroom validation of the React/TypeScript workspaces using the
vp(Vite+) tool .github/workflows/ci.yml#204-205. - Regression Suites: Execution of deterministic core tests and workflow regression matrices to prevent behavioral drift .github/workflows/ci.yml#120-136.
- CLI Parity: Automated checks to ensure CLI argument structures match expected snapshots and documentation .github/workflows/ci.yml#213-230.
Security Gates and Supply Chain
Security is integrated directly into the SDLC via thesecurity.yml workflow. This pipeline focuses on dependency hygiene and secret prevention:
- Dependency Auditing: Uses
cargo audit,cargo deny, andosv-scannerto identify vulnerable crates .github/workflows/security.yml#95-105. - Secret Scanning: Employs
gitleaksand custom high-risk pattern scanners to prevent credential leakage .github/workflows/security.yml#120-130. - Supply Chain: Generates CycloneDX SBOMs and build attestations for every release candidate .github/workflows/security.yml#131-149.
- Artifact Hygiene: Validates that no sensitive runtime artifacts (like SQLite databases or logs) are accidentally committed .github/workflows/security.yml#125-126.
Release Packaging and Distribution
The release process (.github/workflows/release.yml) automates the creation of portable bundles for Desktop and Headless environments.- Coherence Checks: Validates that version strings are consistent across all workspace members before proceeding .github/workflows/release.yml#45-49.
- Portable Bundling: Uses
package-portable.ps1to create self-contained archives includingpalyrad,palyra-browserd, and the web dashboard .github/workflows/release.yml#82-91. - Provenance: Generates SHA256 manifests and GitHub build attestations to ensure artifact integrity .github/workflows/release.yml#19-22.
- Smoke Testing: Runs a full installation and lifecycle test (
release-smoke) before finalizing the GitHub Release .github/workflows/release.yml#88-89.
Fuzzing Harness
Palyra maintains a suite of fuzzing targets in thefuzz/ directory to identify edge-case crashes and logic errors in critical parsers.
- Target Areas: Includes parsers for
config_path,a2ui_json,webhook_payload, andredaction_routinesMakefile#147-160. - Execution: Fuzz targets are built using
cargo-fuzzand are designed to run in continuous overnight campaigns infra/ci/security.yml#19-22.
Developer Pre-push Workflow
To minimize CI failures, developers are encouraged to use the local pre-push gate. This is available via.githooks/pre-push which invokes the scripts/run-pre-push-checks.sh script .githooks/pre-push#1-4.
Local Verification Flow
Sources: Makefile#7-11, justfile#7-11, .githooks/pre-push#1-4, scripts/run-pre-push-checks.sh#1-5