CI/CD Pipeline Architecture
Palyra utilizes GitHub Actions for continuous integration, security auditing, and release orchestration. The pipeline is designed to be multi-platform, covering Linux, macOS, and Windows.Workflow Orchestration
The system is governed by several specialized workflows:| Workflow | File Path | Purpose |
|---|---|---|
| CI | .github/workflows/ci.yml#1-1 | Primary build/test suite for PRs and pushes to main. |
| Security Gates | .github/workflows/security.yml#1-1 | Supply chain analysis, secret scanning, and SBOM generation. |
| CodeQL | .github/workflows/codeql.yml#1-1 | Semantic code analysis for Rust, Action, and JS/TS. |
| Release | .github/workflows/release.yml#1-1 | Metadata preparation and multi-platform artifact bundling. |
| Dependency Review | .github/workflows/dependency-review.yml#1-1 | Vulnerability scanning for new dependencies in PRs. |
Data Flow: CI to Release
The following diagram illustrates the flow from code submission to release artifact generation. CI/CD Pipeline Flow Sources: .github/workflows/ci.yml#16-215, .github/workflows/security.yml#11-156, .github/workflows/release.yml#29-173Security SDLC Baseline
Palyra enforces a “fail-closed” security baseline that scans the supply chain, detects high-risk patterns, and generates provenance data.1. Supply Chain & Vulnerability Scanning
Thesecurity-gates job executes several industry-standard tools:
- cargo-audit: Checks
Cargo.lockagainst the RustSec Advisory Database .github/workflows/security.yml#95-96. - cargo-deny: Enforces license compliance and bans problematic crates .github/workflows/security.yml#98-99.
- OSV Scanner: Uses Google’s Open Source Vulnerabilities database to find flaws in dependencies .github/workflows/security.yml#101-104.
- npm audit: Validates the
apps/webfrontend dependencies, with a specific allowlist for dev-only advisories .github/workflows/security.yml#30-63.
2. Static Analysis & Secret Detection
- Gitleaks: Scans the entire repository history for secrets, keys, and tokens .github/workflows/security.yml#120-123.
- CodeQL: Performs deep semantic analysis. For Rust, it uses
build-mode: noneto keep CI lightweight while maintaining coverage .github/workflows/codeql.yml#37-48. - High-Risk Pattern Scan: A custom script (
check-high-risk-patterns.sh) that flags dangerous code patterns or bypasses of the security model .github/workflows/security.yml#128-129.
3. Artifact Hygiene and Provenance
- Runtime Artifact Hygiene: Ensures no temporary files, local databases, or build artifacts are accidentally committed .github/workflows/security.yml#125-126.
- SBOM Generation: Produces a CycloneDX JSON Software Bill of Materials for every release .github/workflows/security.yml#131-145.
- Build Attestations: Generates GitHub build attestations to provide verifiable provenance for release binaries .github/workflows/release.yml#21-22.
Pre-Push Gate Scripts
To minimize CI failure cycles, developers usescripts/run-pre-push-checks.sh. This script mirrors the CI environment locally.
Profiles
The gate supports two profiles via thePALYRA_PRE_PUSH_PROFILE environment variable scripts/run-pre-push-checks.sh#5-5:
- Fast (Default): Runs lints,
clippy, and tests only for changed crates scripts/run-pre-push-checks.sh#152-182. - Full: Runs the entire workspace test suite and workflow regressions scripts/run-pre-push-checks.sh#184-220.
Logic: Delta Testing
The script optimizes execution by detecting which Rust packages have changed relative to the upstream branch and only testing those scripts/run-pre-push-checks.sh#96-112. However, if global files likeCargo.toml or rust-toolchain.toml change, it forces a full workspace test scripts/run-pre-push-checks.sh#114-126.
Pre-Push Logic Mapping
Sources: scripts/run-pre-push-checks.sh#7-182, scripts/dev/report-module-budgets.sh#14-14
Architectural Boundary Ratchets
Palyra uses “ratchets” to prevent architectural erosion. These are enforced in CI viaquality jobs.
Module Budgets
Thereport-module-budgets.sh script enforces line-count limits on source files to prevent “God Objects.”
- Warn Threshold: 1,200 lines scripts/dev/report-module-budgets.sh#7-7.
- Critical Threshold: 3,000 lines scripts/dev/report-module-budgets.sh#8-8.
- Strict Mode: In CI, it fails if any file exceeds 5,000 lines or if an entry point (
main.rs/lib.rs) exceeds 2,500 lines scripts/dev/report-module-budgets.sh#9-11. - Allowlist: Files exceeding these limits must be explicitly added to
scripts/dev/module-budget-allowlist.txtscripts/dev/report-module-budgets.sh#14-14.
Dependency Boundaries
Thecheck-architecture-boundaries.sh script uses git grep to ensure crates do not import forbidden modules. Examples include:
- Connectors: Must stay provider-neutral and cannot import
palyra-daemonorpalyra-policyscripts/check-architecture-boundaries.sh#57-61. - Vault: Must remain runtime-independent (no
axumortauriimports) scripts/check-architecture-boundaries.sh#69-74. - Frontend: JS/TS code in
apps/webcannot directly import Rust source files fromcrates/scripts/check-architecture-boundaries.sh#75-79.