Skip to main content
This page details the Palyra CI/CD infrastructure, the automated security software development life cycle (SDLC) baseline, and the local validation gates that ensure code quality and security before changes reach the main branch.

CI/CD Pipeline Architecture

Palyra utilizes GitHub Actions for continuous integration, security auditing, and release orchestration. The pipeline is designed to be multi-platform, covering Linux, macOS, and Windows.

Workflow Orchestration

The system is governed by several specialized workflows:
WorkflowFile PathPurpose
CI.github/workflows/ci.yml#1-1Primary build/test suite for PRs and pushes to main.
Security Gates.github/workflows/security.yml#1-1Supply chain analysis, secret scanning, and SBOM generation.
CodeQL.github/workflows/codeql.yml#1-1Semantic code analysis for Rust, Action, and JS/TS.
Release.github/workflows/release.yml#1-1Metadata preparation and multi-platform artifact bundling.
Dependency Review.github/workflows/dependency-review.yml#1-1Vulnerability scanning for new dependencies in PRs.

Data Flow: CI to Release

The following diagram illustrates the flow from code submission to release artifact generation. CI/CD Pipeline Flow Sources: .github/workflows/ci.yml#16-215, .github/workflows/security.yml#11-156, .github/workflows/release.yml#29-173

Security SDLC Baseline

Palyra enforces a “fail-closed” security baseline that scans the supply chain, detects high-risk patterns, and generates provenance data.

1. Supply Chain & Vulnerability Scanning

The security-gates job executes several industry-standard tools:

2. Static Analysis & Secret Detection

3. Artifact Hygiene and Provenance

Sources: .github/workflows/security.yml#30-148, .github/workflows/codeql.yml#37-48

Pre-Push Gate Scripts

To minimize CI failure cycles, developers use scripts/run-pre-push-checks.sh. This script mirrors the CI environment locally.

Profiles

The gate supports two profiles via the PALYRA_PRE_PUSH_PROFILE environment variable scripts/run-pre-push-checks.sh#5-5:
  1. Fast (Default): Runs lints, clippy, and tests only for changed crates scripts/run-pre-push-checks.sh#152-182.
  2. Full: Runs the entire workspace test suite and workflow regressions scripts/run-pre-push-checks.sh#184-220.

Logic: Delta Testing

The script optimizes execution by detecting which Rust packages have changed relative to the upstream branch and only testing those scripts/run-pre-push-checks.sh#96-112. However, if global files like Cargo.toml or rust-toolchain.toml change, it forces a full workspace test scripts/run-pre-push-checks.sh#114-126. Pre-Push Logic Mapping Sources: scripts/run-pre-push-checks.sh#7-182, scripts/dev/report-module-budgets.sh#14-14

Architectural Boundary Ratchets

Palyra uses “ratchets” to prevent architectural erosion. These are enforced in CI via quality jobs.

Module Budgets

The report-module-budgets.sh script enforces line-count limits on source files to prevent “God Objects.”

Dependency Boundaries

The check-architecture-boundaries.sh script uses git grep to ensure crates do not import forbidden modules. Examples include: Sources: scripts/dev/report-module-budgets.sh#7-19, scripts/check-architecture-boundaries.sh#55-98