Score
Controlling source code, automated builds, artifact management and deployments across environments to ensure reproducible releases; doing it involves Git branching and merge strategies, build tools (Maven/Gradle/npm), CI systems (Jenkins, GitHub Actions, Azure DevOps), artifact stores (Artifactory), versioning, release pipelines, and rollback/approval policies.
Binary artifacts in ecosystems like Maven Central often diverge from their source code, and opaque build environments introduce security risks—including untrusted CI/CD pipelines, non-reproducible builds, and undetectable dependency tampering. To address these challenges, this paper proposes an automated source-code reconstruction framework built upon an extended Macaron architecture. It integrates static analysis, GitHub Actions log parsing, and build-environment inference to automatically extract critical configuration parameters (e.g., JDK version, build commands). It introduces, for the first time in the Java context, a root-cause diagnosis mechanism for build failures and an extensible rebuild engine. Experimental evaluation demonstrates significant improvements in artifact reproducibility and verifiability across large-scale dependency graphs. The framework enables source-level software supply chain auditing and strengthens defenses against malicious builds and supply-chain contamination.
Traditional Jenkins controllers suffer from resource overloading and reduced reliability due to direct execution of build tasks. To address this, we propose a lightweight CI/CD architecture that containerizes the Jenkins controller and offloads all build execution to remote Docker hosts via secure SSH connections—effectively decoupling orchestration from build execution. The architecture incorporates atomic deployments, timestamped artifact backups, immutable artifact packaging, and automated notification mechanisms. Technically, it integrates persistent volumes, containerized build environments, and declarative pipelines. Experimental evaluation demonstrates a significant reduction in controller CPU and memory utilization, a 32% increase in build throughput, and a 41% decrease in artifact delivery latency. The solution delivers high stability, scalability, and low operational overhead, making it particularly suitable for small- to medium-scale DevOps environments.
This study addresses the lack of systematic understanding regarding the evolution of GitHub Actions workflows. Through a mixed-methods approach, we conduct the first large-scale empirical analysis of over 3.4 million workflow file versions from more than 49,000 repositories spanning November 2019 to August 2025. We identify seven categories of conceptual changes and find that repositories typically contain a median of three workflow files, with 7.3% of workflows modified weekly—approximately 75% of which involve only a single change, predominantly in task configuration and specification. Our findings further indicate that current large language model (LLM) tools have not yet significantly influenced workflow maintenance frequency, offering empirical grounding for the design of fine-grained automated maintenance tools.
This study addresses the lack of systematic understanding in the configuration and maintenance of CI/CD caching, which imposes a significant burden on developers despite its benefits for build efficiency. Through a large-scale empirical analysis of 952 repositories on GitHub Actions—encompassing 1,556 workflow files and over ten thousand cache-related changes—the authors employ code mining, configuration analysis, commit tracing, and statistical modeling to uncover real-world caching practices, evolutionary patterns, and human-bot collaboration in maintenance. The findings reveal that cache adopters are more active, caching strategies are diverse and frequently adjusted, and build- and test-related tasks evolve rapidly. Manual interventions primarily address misconfigurations, whereas version upgrades are predominantly automated by bots. The work quantifies the maintenance overhead of caching and provides empirical foundations for improving developer tooling.
The impact of release practices on software supply chain security and dependency health remains poorly understood. Method: We conduct a large-scale empirical study of 203,000 releases across 10,000 Maven Central artifacts and 1.7 million dependency relationships, integrating time-series dependency evolution modeling, statistical testing of CVE associations, and metadata mining. Contribution/Results: We uncover, for the first time, a strong negative correlation between release velocity and dependency staleness duration (p < 0.001), as well as a significant negative association with CVE counts. High-frequency releasing reduces average direct-dependency staleness by 62% and decreases CVE prevalence in transitive dependencies by 47%. These findings establish “rapid releasing” as a quantifiable, generalizable security practice—providing novel empirical evidence and methodological foundations for dependency management and software supply chain risk governance.
This study addresses the lack of systematic understanding regarding how GitHub Actions workflows are used in real-world scenarios, how developers respond to workflow failures, and how these practices relate to project characteristics. Combining large-scale quantitative analysis of 258,300 workflow runs with qualitative case studies across 21 diverse repositories, this work identifies three typical patterns developers employ to handle workflow failures and uncovers a “configuration–usage gap”—where YAML configurations exist but workflows remain effectively unused. Furthermore, the study empirically validates five hypotheses linking project features to workflow usage intensity, revealing a significant positive correlation between high usage intensity and low failure rates. These findings provide actionable empirical evidence for improving CI/CD practices.
This work addresses the absence of Git-like data versioning in existing lakehouse architectures, which hinders collaborative development among multiple agents and human-in-the-loop review workflows. To bridge this gap, the paper introduces Git semantics into lakehouse systems by extending Apache Iceberg to support lakehouse-wide commits, branches, and merges—elevating single-table snapshots to a unified versioning model. This enables agents to operate on isolated branches while ensuring atomic, cross-table changes during release. The core abstractions are formally modeled and verified using Alloy to guarantee semantic correctness. The proposed system has been deployed in production, demonstrating the feasibility and effectiveness of the collaborative workflow it enables.
Existing automated code review approaches often suffer from diminished relevance, increased redundancy, and ambiguous prioritization in repository-scale settings due to the conflation of multidimensional tasks. This work proposes a locality-first, modular multi-agent architecture that decomposes the review process into five distinct stages: repository ingestion, context synthesis, file-level analysis, issue prioritization, and summary generation. Implemented with Python CLI, FastAPI, LangGraph, and Next.js, the system delivers end-to-end localized code review capabilities and includes reusable infrastructure for evaluation and reporting. Beyond presenting a practical system design, this study explicitly articulates key architectural trade-offs, developer-facing interfaces, and common failure modes, thereby establishing a foundational platform for future empirical research in automated code review.
This work addresses the inefficiency and error-proneness of manually aggregating change descriptions and impact scopes in cloud-native CI/CD pipelines during multi-task, multi-author collaborative releases. To tackle this challenge, the authors propose a novel approach that integrates semantic commit filtering, large language model (LLM)-driven structured summarization, and static task dependency analysis—marking the first integration of LLMs with pipeline dependency analysis to automatically generate stakeholder-oriented, categorized change reports. The system has been implemented within GitHub Actions and Tekton and deployed in a production environment comprising over 20 pipelines and 60 tasks. Empirical results demonstrate significant improvements in the accuracy and timeliness of release communication, outperforming existing tools such as SmartNote and VerLog.
This work addresses the challenge of silent updates to large language models (LLMs) by service providers, which often occur without version changes and can lead to behavioral drift and functional regressions, while existing mechanisms lack deployment-side control over compatibility governance. Framing LLM updates as a software supply chain governance problem, this study proposes a deployment-side control framework that defines rule-based production contracts, constructs risk-category-oriented test suites, and enforces compatibility gates to validate model safety and performance prior to updates. Experimental results demonstrate that the approach effectively uncovers fine-grained regressions missed by aggregate metrics, while also highlighting critical challenges in test design, threshold calibration, and drift attribution.