From 1d38c0e9ab10d2396706bcd6cf69f8ebcf06b4b9 Mon Sep 17 00:00:00 2001 From: Afonso Dutra Nogueira Filho Date: Fri, 20 Feb 2026 20:11:57 -0300 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=90=20Update=20security=20tokens=20and?= =?UTF-8?q?=20documentation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update all GitHub Actions workflows to use standardized security tokens - Configure CODECOV_TOKEN for coverage uploads in ci-build-test.yml - Update SONAR_TOKEN to SONNAR_TOKEN in code-quality.yml and security-scan.yml - Add comprehensive security tokens section to README.md - Update CHANGELOG.md with security token changes - Fix build status badge to point to correct workflow - Document token configuration for developers Tokens configured: - CODECOV_TOKEN: For codecov coverage uploads - NUGET_TOKEN: For NuGet.org publishing - SONNAR_TOKEN: For SonarCloud analysis - SNYK_TOKEN: Optional for Snyk security scans - QODANA_TOKEN: Optional for Qodana code analysis --- .github/workflows/ci-build-test.yml | 1 + .github/workflows/code-quality.yml | 14 +++++++------- .github/workflows/security-scan.yml | 14 +++++++------- CHANGELOG.md | 6 ++++++ readme.md | 24 +++++++++++++++++++++++- 5 files changed, 44 insertions(+), 15 deletions(-) diff --git a/.github/workflows/ci-build-test.yml b/.github/workflows/ci-build-test.yml index 6abc7fa..01f7f81 100644 --- a/.github/workflows/ci-build-test.yml +++ b/.github/workflows/ci-build-test.yml @@ -234,6 +234,7 @@ jobs: flags: unittests name: codecov-umbrella fail_ci_if_error: false + token: ${{ secrets.CODECOV_TOKEN }} - name: 📤 Upload test results uses: actions/upload-artifact@v4 diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index f48331e..3e7a274 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -84,18 +84,18 @@ jobs: - name: 🔍 Prepare analysis on SonarQube run: | echo "🔍 Checking SonarQube configuration..." - if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then - echo "❌ SONAR_TOKEN is not set or empty" + if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then + echo "❌ SONNAR_TOKEN is not set or empty" echo "⚠️ Skipping SonarQube analysis" exit 0 fi - echo "✅ SONAR_TOKEN is configured" + echo "✅ SONNAR_TOKEN is configured" dotnet sonarscanner begin \ /o:"afonsoft" \ /k:"afonsoft_metar-decoder" \ /d:sonar.host.url="https://sonarcloud.io" \ - /d:sonar.login="${{ secrets.SONAR_TOKEN }}" \ + /d:sonar.login="${{ secrets.SONNAR_TOKEN }}" \ /d:sonar.scm.provider=git \ /d:sonar.coverage.exclusions="**Test*.cs" @@ -105,12 +105,12 @@ jobs: - name: 🔍 Run Code Analysis run: | echo "🔍 Finalizing SonarQube analysis..." - if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then - echo "⚠️ SONAR_TOKEN not configured, skipping analysis" + if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then + echo "⚠️ SONNAR_TOKEN not configured, skipping analysis" exit 0 fi - dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}" + dotnet sonarscanner end /d:sonar.login="${{ secrets.SONNAR_TOKEN }}" # Snyk Security Analysis snyk: diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index cbbc80d..6516501 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -112,18 +112,18 @@ jobs: - name: 🔍 Prepare analysis on SonarQube run: | echo "🔍 Checking SonarQube configuration..." - if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then - echo "❌ SONAR_TOKEN is not set or empty" + if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then + echo "❌ SONNAR_TOKEN is not set or empty" echo "⚠️ Skipping SonarQube analysis" exit 0 fi - echo "✅ SONAR_TOKEN is configured" + echo "✅ SONNAR_TOKEN is configured" dotnet sonarscanner begin \ /o:"afonsoft" \ /k:"afonsoft_metar-decoder" \ /d:sonar.host.url="https://sonarcloud.io" \ - /d:sonar.login="${{ secrets.SONAR_TOKEN }}" \ + /d:sonar.login="${{ secrets.SONNAR_TOKEN }}" \ /d:sonar.scm.provider=git \ /d:sonar.coverage.exclusions="**Test*.cs" @@ -133,12 +133,12 @@ jobs: - name: 🔍 Run Code Analysis run: | echo "🔍 Finalizing SonarQube analysis..." - if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then - echo "⚠️ SONAR_TOKEN not configured, skipping analysis" + if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then + echo "⚠️ SONNAR_TOKEN not configured, skipping analysis" exit 0 fi - dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}" + dotnet sonarscanner end /d:sonar.login="${{ secrets.SONNAR_TOKEN }}" # Security Summary security-summary: diff --git a/CHANGELOG.md b/CHANGELOG.md index b94be20..1b38533 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Test framework stability with graceful error handling ### Security +- **Updated Security Tokens**: Standardized token usage across all GitHub Actions workflows + - `CODECOV_TOKEN`: Configured for codecov coverage uploads + - `NUGET_TOKEN`: Configured for NuGet.org publishing + - `SONNAR_TOKEN`: Updated from SONAR_TOKEN for SonarCloud analysis - Architecture improvements following security best practices - Enhanced validation framework for input sanitization - Proper dependency injection patterns @@ -27,6 +31,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Refactored validation system with extensible framework - Improved code organization following Clean Architecture - Enhanced test structure with better coverage reporting +- **GitHub Actions**: Updated all workflows to use standardized security tokens +- **Documentation**: Added security tokens configuration section to README ## [1.0.8] - 2026-02-18 diff --git a/readme.md b/readme.md index 0f5ebea..912b30b 100644 --- a/readme.md +++ b/readme.md @@ -1,7 +1,7 @@ # QRCoder.Core - QR Code Generator Library -[![Build status](https://github.com/afonsoft/QRCoder.Core/actions/workflows/build-and-pack.yml/badge.svg?branch=main)](https://github.com/afonsoft/QRCoder.Core/actions/workflows/build-and-pack.yml) +[![Build status](https://github.com/afonsoft/QRCoder.Core/actions/workflows/ci-build-test.yml/badge.svg?branch=main)](https://github.com/afonsoft/QRCoder.Core/actions/workflows/ci-build-test.yml) [![codecov](https://codecov.io/gh/afonsoft/QRCoder.Core/graph/badge.svg?token=N8RED1A0D7)](https://codecov.io/gh/afonsoft/QRCoder.Core) [![NuGet Badge](https://buildstats.info/nuget/QRCoder.Core?rnd=0892982314)](https://www.nuget.org/packages/QRCoder.Core/) [![Code Quality](https://sonarcloud.io/api/project_badges/measure?project=QrCode.Core&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=QrCode.Core) @@ -156,6 +156,28 @@ O projeto `QRCoder.Core` é uma biblioteca que facilita a geração de códigos 3. **Geração de Payload**: A classe `PayloadGenerator` oferece métodos para criar payloads formatados para tipos específicos de Código QR, como URLs, SMS, contatos, Wi-Fi, entre outros, simplificando a criação de Códigos QR para casos de uso comuns. 4. **Tratamento de Exceções**: O projeto inclui exceções personalizadas, como `DataTooLongException`, para lidar com cenários onde os dados fornecidos excedem a capacidade máxima de um Código QR. +## 🔐 Tokens de Segurança + +O projeto utiliza os seguintes tokens de segurança configurados nos secrets do GitHub: + +### Tokens Necessários +- **CODECOV_TOKEN**: Token para upload de relatórios de cobertura para Codecov +- **NUGET_TOKEN**: Token para publicação de pacotes no NuGet.org +- **SONNAR_TOKEN**: Token para análise de código no SonarCloud + +### Configuração +Para desenvolvedores que desejam rodar os workflows localmente ou configurar o fork: + +1. Vá para **Settings** > **Secrets and variables** > **Actions** no seu repositório GitHub +2. Adicione os seguintes secrets: + - `CODECOV_TOKEN`: Obtido em [codecov.io](https://codecov.io/) + - `NUGET_TOKEN`: Obtido em [nuget.org](https://www.nuget.org/) (apenas para publicação) + - `SONNAR_TOKEN`: Obtido em [sonarcloud.io](https://sonarcloud.io/) + +### Tokens Opcionais +- **SNYK_TOKEN**: Para análise de vulnerabilidades com Snyk +- **QODANA_TOKEN**: Para análise de código com Qodana (JetBrains) + ## CI/CD e Build O projeto utiliza um pipeline completo de CI/CD com GitHub Actions para garantir qualidade e automação: