Release Packaging and Distribution

The Palyra release pipeline is a multi-stage process that ensures version coherence, builds cross-platform binaries, packages portable bundles for desktop and headless environments, and generates cryptographic attestations for supply chain security. The process is primarily driven by the release.yml GitHub Actions workflow and a suite of PowerShell scripts.

Release Workflow Lifecycle

The release process begins with metadata preparation and version validation before proceeding to parallel packaging of platform-specific artifacts.

1. Version Coherence and Metadata

The prepare-release job asserts that the repository version is consistent across all manifests using assert-version-coherence.ps1 .github/workflows/release.yml#41-49. It generates release and migration notes that are automatically uploaded as draft release assets .github/workflows/release.yml#108-114.

2. Portable Packaging Logic

Packaging is handled by package-portable.ps1, which creates two distinct artifact types:

Desktop Portable Bundle: Includes the Tauri-based Control Center, palyrad, palyra-browserd, palyra CLI, and the web/ dashboard bundle .scripts/release/package-portable.ps1#84-86.
Headless Portable Package: Includes the daemon, browser service, CLI, and web dashboard, but excludes the GUI control center .scripts/release/package-portable.ps1#32-33.

3. Artifact Verification

Every package undergoes strict validation via validate-portable-archive.ps1. This script ensures:

Manifest Presence: Verification of release-manifest.json and checksums.txt .scripts/release/validate-portable-archive.ps1#29-32.
Hygiene: Ensuring no runtime artifacts (SQLite databases, logs, WAL files) are accidentally included in the distribution .scripts/release/validate-portable-archive.ps1#59-92.
Integrity: Re-calculating SHA256 hashes for every file in the payload against the manifest .scripts/release/validate-portable-archive.ps1#94-111.

Sources: .github/workflows/release.yml#30-120, scripts/release/package-portable.ps1#1-160, scripts/release/validate-portable-archive.ps1#1-133

Packaging Data Flow

The following diagram illustrates the transformation from source code and build artifacts into a validated release package.

Build to Package Transformation

Sources: scripts/release/package-portable.ps1#65-95, scripts/release/validate-portable-archive.ps1#29-33

Security and Provenance

Palyra implements a “Security Gate” model to ensure that distributed artifacts are trustworthy.

Supply Chain Protections

The security.yml workflow runs alongside the release to generate:

SBOM: A Software Bill of Materials in CycloneDX format using cargo cyclonedx .github/workflows/security.yml#131-132.
Vulnerability Scanning: Integration with cargo audit, cargo deny, and osv-scanner .github/workflows/security.yml#95-104.
Secret Scanning: gitleaks is used to prevent accidental credential leakage in the release payload .github/workflows/security.yml#120-123.

Build Attestations

For every release asset, the workflow generates a GitHub Build Attestation. This provides a non-forgeable link between the published binary and the specific GitHub Actions run that produced it .github/workflows/release.yml#21-22. Sources: .github/workflows/security.yml#11-156, .github/workflows/release.yml#19-23

Installation and Lifecycle Scripts

Portable packages are accompanied by install-desktop-package.ps1 and install-headless-package.ps1 to manage the local deployment lifecycle.

Key Lifecycle Functions

Function	Role	File Reference
`Install-PalyraCliExposure`	Creates shims/symlinks to expose the `palyra` command to the shell.	scripts/release/common.ps1#264
`Expand-ZipArchiveSafely`	Unpacks archives while preventing ZipSlip (path traversal) attacks.	scripts/release/common.ps1#209-245
`Set-ExecutablePermissions`	Ensures binaries have the `+x` bit set on Unix-like systems.	scripts/release/common.ps1#251-262

Headless Service Integration

The headless installer automatically generates a systemd unit file (palyrad.service) on Linux systems, pre-configured with the correct PALYRA_CONFIG and PALYRA_STATE_ROOT environment variables .scripts/release/install-headless-package.ps1#88-112. Sources: scripts/release/install-desktop-package.ps1#1-100, scripts/release/install-headless-package.ps1#1-132, scripts/release/common.ps1#200-300

Release Smoke Test

Before a release is published, run-release-smoke.ps1 executes a comprehensive end-to-end validation in a clean environment.

Smoke Test Coverage

Installation Validation: Performs a full install of both desktop and headless packages into temporary directories .scripts/test/run-release-smoke.ps1#178-185.
CLI Discovery: Uses Assert-CommandResolvesFromRoot to verify that the palyra command correctly points to the newly installed binary rather than a pre-existing system version .scripts/test/run-release-smoke.ps1#8-38.
Surface Audit: Executes a battery of help commands and diagnostics (e.g., palyra doctor --json) to ensure all subcommands are functional .scripts/test/run-release-smoke.ps1#55-72.
Documentation Search: Verifies that the bundled offline documentation can be queried via the CLI docs command .scripts/test/run-release-smoke.ps1#87-91.
Dry-run Lifecycle: Tests update --dry-run and uninstall --dry-run to ensure lifecycle logic is sound without mutating the host .scripts/test/run-release-smoke.ps1#95-108.

Smoke Test Logic Flow

Sources: scripts/test/run-release-smoke.ps1#1-185, crates/palyra-cli/src/commands/docs.rs#74-85

​Release Workflow Lifecycle

​1. Version Coherence and Metadata

​2. Portable Packaging Logic

​3. Artifact Verification

​Packaging Data Flow

​Build to Package Transformation

​Security and Provenance

​Supply Chain Protections

​Build Attestations

​Installation and Lifecycle Scripts

​Key Lifecycle Functions

​Headless Service Integration

​Release Smoke Test

​Smoke Test Coverage

​Smoke Test Logic Flow