Recipe

CI/CD Pipeline Design

Ship Nimbus payloads through a hardened, repeatable pipeline that signs, packs, and stages every build artifact before it touches production.

Pipeline Stages

Build

MSVC x64 Release, /MT, LTCG

Sign

Ed25519 detached sig over .text

Pack

Themida + CDN staging

Artifact Integrity

Every build emits a manifest.json containing the commit SHA, build timestamp, and Ed25519 signature. The loader verifies this manifest before mapping the payload.

{
  "commit": "a1b2c3d",
  "built": "2026-05-26T14:30:00Z",
  "sig": "base64-ed25519-sig..."
}

Staging Gates

Loader self-hash check passes (in-memory .text vs link-time baseline)
Payload signature verified against pinned public key
Canary deployment to 5% of CDN edge before full rollout
Auto-rollback if crash rate exceeds 0.1% in 10-minute window

Secrets Handling

Signing keys live in a hardware-backed KMS. The CI runner requests a short-lived signing token scoped to the artifact digest. No long-lived secrets touch the build environment.

Next: Loader Integration

Wire the signed payload into the C++ loader's auto-update flow.

Read Loader Docs