🔐 Update security tokens and documentation

.github/workflows/ci-build-test.yml

@@ -234,6 +234,7 @@ jobs:
           flags: unittests
           name: codecov-umbrella
           fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
 
       - name: 📤 Upload test results
         uses: actions/upload-artifact@v4

.github/workflows/code-quality.yml

@@ -84,18 +84,18 @@ jobs:
       - name: 🔍 Prepare analysis on SonarQube
         run: |
           echo "🔍 Checking SonarQube configuration..."
-          if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then
-            echo "❌ SONAR_TOKEN is not set or empty"
+          if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then
+            echo "❌ SONNAR_TOKEN is not set or empty"
             echo "⚠️ Skipping SonarQube analysis"
             exit 0
           fi
 
-          echo "✅ SONAR_TOKEN is configured"
+          echo "✅ SONNAR_TOKEN is configured"
           dotnet sonarscanner begin \
             /o:"afonsoft" \
             /k:"afonsoft_metar-decoder" \
             /d:sonar.host.url="https://sonarcloud.io" \
-            /d:sonar.login="${{ secrets.SONAR_TOKEN }}" \
+            /d:sonar.login="${{ secrets.SONNAR_TOKEN }}" \
             /d:sonar.scm.provider=git \
             /d:sonar.coverage.exclusions="**Test*.cs"
 
@@ -105,12 +105,12 @@ jobs:
       - name: 🔍 Run Code Analysis
         run: |
           echo "🔍 Finalizing SonarQube analysis..."
-          if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then
-            echo "⚠️ SONAR_TOKEN not configured, skipping analysis"
+          if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then
+            echo "⚠️ SONNAR_TOKEN not configured, skipping analysis"
             exit 0
           fi
 
-          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
+          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONNAR_TOKEN }}"
 
   # Snyk Security Analysis
   snyk:

.github/workflows/security-scan.yml

@@ -112,18 +112,18 @@ jobs:
       - name: 🔍 Prepare analysis on SonarQube
         run: |
           echo "🔍 Checking SonarQube configuration..."
-          if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then
-            echo "❌ SONAR_TOKEN is not set or empty"
+          if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then
+            echo "❌ SONNAR_TOKEN is not set or empty"
             echo "⚠️ Skipping SonarQube analysis"
             exit 0
           fi
 
-          echo "✅ SONAR_TOKEN is configured"
+          echo "✅ SONNAR_TOKEN is configured"
           dotnet sonarscanner begin \
             /o:"afonsoft" \
             /k:"afonsoft_metar-decoder" \
             /d:sonar.host.url="https://sonarcloud.io" \
-            /d:sonar.login="${{ secrets.SONAR_TOKEN }}" \
+            /d:sonar.login="${{ secrets.SONNAR_TOKEN }}" \
             /d:sonar.scm.provider=git \
             /d:sonar.coverage.exclusions="**Test*.cs"
 
@@ -133,12 +133,12 @@ jobs:
       - name: 🔍 Run Code Analysis
         run: |
           echo "🔍 Finalizing SonarQube analysis..."
-          if [ -z "${{ secrets.SONAR_TOKEN }}" ]; then
-            echo "⚠️ SONAR_TOKEN not configured, skipping analysis"
+          if [ -z "${{ secrets.SONNAR_TOKEN }}" ]; then
+            echo "⚠️ SONNAR_TOKEN not configured, skipping analysis"
             exit 0
           fi
 
-          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONAR_TOKEN }}"
+          dotnet sonarscanner end /d:sonar.login="${{ secrets.SONNAR_TOKEN }}"
 
   # Security Summary
   security-summary:

CHANGELOG.md

@@ -19,6 +19,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Test framework stability with graceful error handling
 
 ### Security
+- **Updated Security Tokens**: Standardized token usage across all GitHub Actions workflows
+  - `CODECOV_TOKEN`: Configured for codecov coverage uploads
+  - `NUGET_TOKEN`: Configured for NuGet.org publishing
+  - `SONNAR_TOKEN`: Updated from SONAR_TOKEN for SonarCloud analysis
 - Architecture improvements following security best practices
 - Enhanced validation framework for input sanitization
 - Proper dependency injection patterns
@@ -27,6 +31,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Refactored validation system with extensible framework
 - Improved code organization following Clean Architecture
 - Enhanced test structure with better coverage reporting
+- **GitHub Actions**: Updated all workflows to use standardized security tokens
+- **Documentation**: Added security tokens configuration section to README
 
 ## [1.0.8] - 2026-02-18
 

readme.md

@@ -1,7 +1,7 @@
 
 # QRCoder.Core - QR Code Generator Library
 
-[![Build status](https://github.com/afonsoft/QRCoder.Core/actions/workflows/build-and-pack.yml/badge.svg?branch=main)](https://github.com/afonsoft/QRCoder.Core/actions/workflows/build-and-pack.yml)
+[![Build status](https://github.com/afonsoft/QRCoder.Core/actions/workflows/ci-build-test.yml/badge.svg?branch=main)](https://github.com/afonsoft/QRCoder.Core/actions/workflows/ci-build-test.yml)
 [![codecov](https://codecov.io/gh/afonsoft/QRCoder.Core/graph/badge.svg?token=N8RED1A0D7)](https://codecov.io/gh/afonsoft/QRCoder.Core)
 [![NuGet Badge](https://buildstats.info/nuget/QRCoder.Core?rnd=0892982314)](https://www.nuget.org/packages/QRCoder.Core/)
 [![Code Quality](https://sonarcloud.io/api/project_badges/measure?project=QrCode.Core&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=QrCode.Core)
@@ -156,6 +156,28 @@ O projeto `QRCoder.Core` é uma biblioteca que facilita a geração de códigos
 3.  **Geração de Payload**: A classe `PayloadGenerator` oferece métodos para criar payloads formatados para tipos específicos de Código QR, como URLs, SMS, contatos, Wi-Fi, entre outros, simplificando a criação de Códigos QR para casos de uso comuns.
 4.  **Tratamento de Exceções**: O projeto inclui exceções personalizadas, como `DataTooLongException`, para lidar com cenários onde os dados fornecidos excedem a capacidade máxima de um Código QR.
 
+## 🔐 Tokens de Segurança
+
+O projeto utiliza os seguintes tokens de segurança configurados nos secrets do GitHub:
+
+### Tokens Necessários
+- **CODECOV_TOKEN**: Token para upload de relatórios de cobertura para Codecov
+- **NUGET_TOKEN**: Token para publicação de pacotes no NuGet.org
+- **SONNAR_TOKEN**: Token para análise de código no SonarCloud
+
+### Configuração
+Para desenvolvedores que desejam rodar os workflows localmente ou configurar o fork:
+
+1. Vá para **Settings** > **Secrets and variables** > **Actions** no seu repositório GitHub
+2. Adicione os seguintes secrets:
+   - `CODECOV_TOKEN`: Obtido em [codecov.io](https://codecov.io/)
+   - `NUGET_TOKEN`: Obtido em [nuget.org](https://www.nuget.org/) (apenas para publicação)
+   - `SONNAR_TOKEN`: Obtido em [sonarcloud.io](https://sonarcloud.io/)
+
+### Tokens Opcionais
+- **SNYK_TOKEN**: Para análise de vulnerabilidades com Snyk
+- **QODANA_TOKEN**: Para análise de código com Qodana (JetBrains)
+
 ## CI/CD e Build
 O projeto utiliza um pipeline completo de CI/CD com GitHub Actions para garantir qualidade e automação: