build and release management

Controlling source code, automated builds, artifact management and deployments across environments to ensure reproducible releases; doing it involves Git branching and merge strategies, build tools (Maven/Gradle/npm), CI systems (Jenkins, GitHub Actions, Azure DevOps), artifact stores (Artifactory), versioning, release pipelines, and rollback/approval policies.

buildandreleasemanagement

12-Month Skill Trend

Momentum and market value over time
Trending
Score
+20 in 12 mo
96
12 mo agoNow
Career
Value
+$12K in 12 mo
$42K/year
12 mo agoNow

Recommended Survey Paper

Quick overview of the field
View more

Must-Read Papers

Most classic and influential ideas
View more

Binary artifacts in ecosystems like Maven Central often diverge from their source code, and opaque build environments introduce security risks—including untrusted CI/CD pipelines, non-reproducible builds, and undetectable dependency tampering. To address these challenges, this paper proposes an automated source-code reconstruction framework built upon an extended Macaron architecture. It integrates static analysis, GitHub Actions log parsing, and build-environment inference to automatically extract critical configuration parameters (e.g., JDK version, build commands). It introduces, for the first time in the Java context, a root-cause diagnosis mechanism for build failures and an extensible rebuild engine. Experimental evaluation demonstrates significant improvements in artifact reproducibility and verifiability across large-scale dependency graphs. The framework enables source-level software supply chain auditing and strengthens defenses against malicious builds and supply-chain contamination.

Addressing binary-source separation in software supply chainsAutomating rebuild process for Maven artifacts from sourceEnhancing security through transparent CI/CD pipeline verification

Controller-Light CI/CD with Jenkins: Remote Container Builds and Automated Artifact Delivery

Nov 07, 2025
KK
Kawshik Kumar Paul
🏛️ Bangladesh University of Engineering and Technology | Chittagong University of Engineering and Technology

Traditional Jenkins controllers suffer from resource overloading and reduced reliability due to direct execution of build tasks. To address this, we propose a lightweight CI/CD architecture that containerizes the Jenkins controller and offloads all build execution to remote Docker hosts via secure SSH connections—effectively decoupling orchestration from build execution. The architecture incorporates atomic deployments, timestamped artifact backups, immutable artifact packaging, and automated notification mechanisms. Technically, it integrates persistent volumes, containerized build environments, and declarative pipelines. Experimental evaluation demonstrates a significant reduction in controller CPU and memory utilization, a 32% increase in build throughput, and a 41% decrease in artifact delivery latency. The solution delivers high stability, scalability, and low operational overhead, making it particularly suitable for small- to medium-scale DevOps environments.

Delegates intensive build operations to remote Docker hostsProvides scalable automation with simplified orchestration for DevOpsReduces resource overload on Jenkins controller by offloading builds

This study addresses the lack of systematic understanding regarding the evolution of GitHub Actions workflows. Through a mixed-methods approach, we conduct the first large-scale empirical analysis of over 3.4 million workflow file versions from more than 49,000 repositories spanning November 2019 to August 2025. We identify seven categories of conceptual changes and find that repositories typically contain a median of three workflow files, with 7.3% of workflows modified weekly—approximately 75% of which involve only a single change, predominantly in task configuration and specification. Our findings further indicate that current large language model (LLM) tools have not yet significantly influenced workflow maintenance frequency, offering empirical grounding for the design of fine-grained automated maintenance tools.

CI/CDempirical studyGitHub Actions

This study addresses the lack of systematic understanding in the configuration and maintenance of CI/CD caching, which imposes a significant burden on developers despite its benefits for build efficiency. Through a large-scale empirical analysis of 952 repositories on GitHub Actions—encompassing 1,556 workflow files and over ten thousand cache-related changes—the authors employ code mining, configuration analysis, commit tracing, and statistical modeling to uncover real-world caching practices, evolutionary patterns, and human-bot collaboration in maintenance. The findings reveal that cache adopters are more active, caching strategies are diverse and frequently adjusted, and build- and test-related tasks evolve rapidly. Manual interventions primarily address misconfigurations, whereas version upgrades are predominantly automated by bots. The work quantifies the maintenance overhead of caching and provides empirical foundations for improving developer tooling.

cache maintenanceCI/CD cachingempirical study

Faster Releases, Fewer Risks: A Study on Maven Artifact Vulnerabilities and Lifecycle Management

Mar 31, 2025
MS
Md Shafiullah Shafin
🏛️ Rajshahi University of Engineering & Technology | Idaho State University

The impact of release practices on software supply chain security and dependency health remains poorly understood. Method: We conduct a large-scale empirical study of 203,000 releases across 10,000 Maven Central artifacts and 1.7 million dependency relationships, integrating time-series dependency evolution modeling, statistical testing of CVE associations, and metadata mining. Contribution/Results: We uncover, for the first time, a strong negative correlation between release velocity and dependency staleness duration (p < 0.001), as well as a significant negative association with CVE counts. High-frequency releasing reduces average direct-dependency staleness by 62% and decreases CVE prevalence in transitive dependencies by 47%. These findings establish “rapid releasing” as a quantifiable, generalizable security practice—providing novel empirical evidence and methodological foundations for dependency management and software supply chain risk governance.

Analyzing Maven artifact release speed impact on securityEvaluating dependency outdatedness in fast-release artifactsInvestigating relationship between release frequency and vulnerabilities

Latest Papers

What's happening recently
View more

This study addresses the lack of systematic understanding regarding how GitHub Actions workflows are used in real-world scenarios, how developers respond to workflow failures, and how these practices relate to project characteristics. Combining large-scale quantitative analysis of 258,300 workflow runs with qualitative case studies across 21 diverse repositories, this work identifies three typical patterns developers employ to handle workflow failures and uncovers a “configuration–usage gap”—where YAML configurations exist but workflows remain effectively unused. Furthermore, the study empirically validates five hypotheses linking project features to workflow usage intensity, revealing a significant positive correlation between high usage intensity and low failure rates. These findings provide actionable empirical evidence for improving CI/CD practices.

CI/CDfailure responseGitHub Actions

This work addresses the absence of Git-like data versioning in existing lakehouse architectures, which hinders collaborative development among multiple agents and human-in-the-loop review workflows. To bridge this gap, the paper introduces Git semantics into lakehouse systems by extending Apache Iceberg to support lakehouse-wide commits, branches, and merges—elevating single-table snapshots to a unified versioning model. This enables agents to operate on isolated branches while ensuring atomic, cross-table changes during release. The core abstractions are formally modeled and verified using Alloy to guarantee semantic correctness. The proposed system has been deployed in production, demonstrating the feasibility and effectiveness of the collaborative workflow it enables.

agent-first lakehouseatomic publishingbranching and merging

Existing automated code review approaches often suffer from diminished relevance, increased redundancy, and ambiguous prioritization in repository-scale settings due to the conflation of multidimensional tasks. This work proposes a locality-first, modular multi-agent architecture that decomposes the review process into five distinct stages: repository ingestion, context synthesis, file-level analysis, issue prioritization, and summary generation. Implemented with Python CLI, FastAPI, LangGraph, and Next.js, the system delivers end-to-end localized code review capabilities and includes reusable infrastructure for evaluation and reporting. Beyond presenting a practical system design, this study explicitly articulates key architectural trade-offs, developer-facing interfaces, and common failure modes, thereby establishing a foundational platform for future empirical research in automated code review.

automated code reviewcode review workflowcontext-aware review

This work addresses the inefficiency and error-proneness of manually aggregating change descriptions and impact scopes in cloud-native CI/CD pipelines during multi-task, multi-author collaborative releases. To tackle this challenge, the authors propose a novel approach that integrates semantic commit filtering, large language model (LLM)-driven structured summarization, and static task dependency analysis—marking the first integration of LLMs with pipeline dependency analysis to automatically generate stakeholder-oriented, categorized change reports. The system has been implemented within GitHub Actions and Tekton and deployed in a production environment comprising over 20 pipelines and 60 tasks. Empirical results demonstrate significant improvements in the accuracy and timeliness of release communication, outperforming existing tools such as SmartNote and VerLog.

change summarizationCI/CD pipelinescloud-native

This work addresses the challenge of silent updates to large language models (LLMs) by service providers, which often occur without version changes and can lead to behavioral drift and functional regressions, while existing mechanisms lack deployment-side control over compatibility governance. Framing LLM updates as a software supply chain governance problem, this study proposes a deployment-side control framework that defines rule-based production contracts, constructs risk-category-oriented test suites, and enforces compatibility gates to validate model safety and performance prior to updates. Experimental results demonstrate that the approach effectively uncovers fine-grained regressions missed by aggregate metrics, while also highlighting critical challenges in test design, threshold calibration, and drift attribution.

behavioral driftcompatibility governanceLarge Language Models

Hot Scholars

CT

Christoph Treude

Associate Professor of Computer Science, Singapore Management University
Software EngineeringEmpirical Software EngineeringHuman-AI InteractionAI for Science
PL

Peng Liang

School of Computer Science, Wuhan University
Software EngineeringSoftware ArchitectureEmpirical Software Engineering
ZZ

Zibin Zheng

IEEE Fellow, Highly Cited Researcher, Sun Yat-sen University, China
BlockchainSmart ContractServices ComputingSoftware Reliability
AE

Ahmed E. Hassan

Mustafa Prize Laureate, ACM/IEEE/NSERC Steacie Fellow, ACM Influential/IEEE Distinguished Educator
Mining Software RepositoriesSoftware AnalyticsEmpirical Software EngineeringSoftware
ZJ

Zhi Jin

Sun Yat-Sen University, Associate Professor