Merge pull request #7 from randlee/develop

feat: CI/CD Enhancements and NuGet Publishing Setup

Author: randlee

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    open-pull-requests-limit: 10
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yml

@@ -8,7 +8,11 @@ on:
 
 jobs:
   build-and-test:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
 
     steps:
       - name: Checkout code
@@ -33,12 +37,12 @@ jobs:
         uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: test-results
+          name: test-results-${{ matrix.os }}
           path: "**/TestResults/**/*.trx"
 
       - name: Upload coverage reports
         uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: coverage-reports
+          name: coverage-reports-${{ matrix.os }}
           path: "**/TestResults/**/coverage.cobertura.xml"

.github/workflows/codeql.yml

@@ -0,0 +1,38 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main, develop]
+  schedule:
+    - cron: '0 0 * * 1'  # Weekly on Monday
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['csharp']
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/publish.yml

@@ -0,0 +1,41 @@
+name: Publish NuGet
+
+on:
+  push:
+    tags:
+      - 'v*'  # Triggers on tags like v1.0.0, v0.5.1, etc.
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '10.0.x'
+          dotnet-quality: 'preview'
+
+      - name: Extract version from tag
+        id: version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+
+      - name: Restore dependencies
+        run: dotnet restore
+
+      - name: Build
+        run: dotnet build -c Release --no-restore -p:Version=${{ steps.version.outputs.VERSION }}
+
+      - name: Run tests
+        run: dotnet test -c Release --no-build
+
+      - name: Pack
+        run: dotnet pack src/RoslynDiff.Cli/RoslynDiff.Cli.csproj -c Release --no-build -p:Version=${{ steps.version.outputs.VERSION }} -o ./packages
+
+      - name: Publish to GitHub Packages
+        run: dotnet nuget push ./packages/*.nupkg --source "https://nuget.pkg.github.com/randlee/index.json" --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate

Directory.Build.props

@@ -20,12 +20,15 @@
     <FileVersion>0.5.0.0</FileVersion>
   </PropertyGroup>
 
+  <!-- NuGet Package Common Properties -->
   <PropertyGroup>
-    <Authors>RoslynDiff Contributors</Authors>
+    <Authors>Rand Lee</Authors>
     <Company>RoslynDiff</Company>
-    <Copyright>Copyright (c) 2025-2026 RoslynDiff Contributors</Copyright>
+    <Copyright>Copyright (c) 2025-2026 Rand Lee</Copyright>
     <RepositoryUrl>https://github.com/randlee/roslyn-diff</RepositoryUrl>
     <RepositoryType>git</RepositoryType>
+    <PackageProjectUrl>https://github.com/randlee/roslyn-diff</PackageProjectUrl>
+    <PackageLicenseExpression>MIT</PackageLicenseExpression>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)' == 'Release'">

SECURITY.md

@@ -2,20 +2,54 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+The following versions of roslyn-diff are currently supported with security updates:
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 0.5.x   | :white_check_mark: |
+| < 0.5   | :x:                |
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+If you discover a security vulnerability in roslyn-diff, please report it responsibly:
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+1. **Do not** open a public GitHub issue for security vulnerabilities.
+
+2. **Email** the maintainers directly or use GitHub's private vulnerability reporting feature.
+
+3. **Include** the following information in your report:
+   - Description of the vulnerability
+   - Steps to reproduce the issue
+   - Potential impact
+   - Any suggested fixes (optional)
+
+4. **Response timeline**:
+   - Initial acknowledgment: within 48 hours
+   - Status update: within 7 days
+   - Resolution target: within 30 days for critical issues
+
+## Security Considerations
+
+roslyn-diff is a code comparison tool that:
+
+- Reads and parses source code files locally
+- Does not transmit data over the network
+- Does not execute the code it analyzes
+- Generates HTML reports that may be opened in a browser
+
+### HTML Report Security
+
+When generating HTML reports:
+- All user-provided file paths are HTML-encoded to prevent XSS
+- JavaScript in reports is sandboxed to clipboard and UI operations only
+- Reports use `encodeURIComponent()` for URL parameters
+
+## Scope
+
+This security policy applies to:
+- The roslyn-diff CLI tool
+- The RoslynDiff.Core library
+- The RoslynDiff.Output library
+- Generated HTML/JSON output formats
+
+Third-party dependencies are managed via NuGet and should be kept updated.

src/RoslynDiff.Cli/RoslynDiff.Cli.csproj

@@ -5,13 +5,11 @@
     <AssemblyName>roslyn-diff</AssemblyName>
   </PropertyGroup>
 
-  <!-- NuGet Package Metadata (Version inherited from Directory.Build.props) -->
+  <!-- NuGet Package Metadata (common properties inherited from Directory.Build.props) -->
   <PropertyGroup>
-    <PackageId>RoslynDiff</PackageId>
-    <Description>A semantic diff tool for .NET source code using Roslyn. Unlike traditional line-by-line diff tools, roslyn-diff understands code structure, detecting and reporting changes at the semantic level (classes, methods, properties, etc.).</Description>
-    <PackageTags>roslyn;diff;semantic-diff;code-analysis;csharp;vb;dotnet;cli;tool</PackageTags>
-    <PackageProjectUrl>https://github.com/randlee/roslyn-diff</PackageProjectUrl>
-    <PackageLicenseExpression>MIT</PackageLicenseExpression>
+    <PackageId>roslyn-diff</PackageId>
+    <Description>Roslyn-based semantic diff tool for C# and VB.NET code comparison</Description>
+    <PackageTags>diff;roslyn;csharp;vbnet;code-comparison;cli</PackageTags>
     <PackageReadmeFile>README.md</PackageReadmeFile>
     <PackageIcon>icon.png</PackageIcon>
     <PackageReleaseNotes>Initial release of roslyn-diff with semantic diff capabilities for C# and VB.NET files.</PackageReleaseNotes>

src/RoslynDiff.Core/RoslynDiff.Core.csproj

@@ -1,8 +1,8 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
+  <!-- This project is NOT packaged separately - it's bundled into the CLI tool package -->
   <PropertyGroup>
-    <Description>Core library for Roslyn-based semantic code diffing</Description>
-    <PackageId>RoslynDiff.Core</PackageId>
+    <IsPackable>false</IsPackable>
   </PropertyGroup>
 
   <ItemGroup>

src/RoslynDiff.Output/RoslynDiff.Output.csproj

@@ -1,8 +1,8 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
+  <!-- This project is NOT packaged separately - it's bundled into the CLI tool package -->
   <PropertyGroup>
-    <Description>Output formatters and renderers for RoslynDiff results</Description>
-    <PackageId>RoslynDiff.Output</PackageId>
+    <IsPackable>false</IsPackable>
   </PropertyGroup>
 
   <ItemGroup>