ci: add Codecov, CodeQL, Dependabot and update README

Author: madhugilla

.github/dependabot.yml

@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 5
+    labels: ["dependencies"]
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 5
+    labels: ["dependencies", "ci"]

.github/workflows/ci.yml

@@ -58,6 +58,14 @@ jobs:
           name: test-results
           path: TestResults
 
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: coverage/lcov.info
+          fail_ci_if_error: false
+          verbose: false
+
   lint-readme:
     runs-on: ubuntu-latest
     steps:

.github/workflows/codeql.yml

@@ -0,0 +1,46 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [ main, master ]
+  pull_request:
+    branches: [ main, master ]
+  schedule:
+    - cron: '0 3 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'csharp' ]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore dependencies
+        run: dotnet restore
+
+      - name: Build
+        run: dotnet build --configuration Release --no-restore
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:${{matrix.language}}'

README.md

@@ -321,19 +321,25 @@ Do not commit real credentials. Connection string is externalized. Recommended i
 - Enforce HTTPS and strict TLS settings
 - Add static code analysis (CodeQL)
 
-## 🤖 CI/CD (Suggested)
+## 🤖 CI/CD (Implemented)
 
-Workflow defined in `.github/workflows/ci.yml` executes on pushes and PRs to `main` or `master`:
+Workflow `.github/workflows/ci.yml` runs on pushes and PRs to `main` / `master`:
 
 - Restore -> Build (Release) -> Test (with coverage collection)
 - Publishes test results & coverage (Cobertura + lcov) as artifacts
-- Separate job lints `README.md` using markdown-lint
+- Optional Codecov upload step (add `CODECOV_TOKEN` secret to enable)
+- Separate job lints `README.md`
 
-You can extend by:
+Additional automation:
 
-- Adding Codecov upload (needs CODECOV_TOKEN secret)
-- Enabling dependabot for NuGet & GitHub Actions
-- Adding security scanning (CodeQL workflow)
+- Code scanning via CodeQL (`.github/workflows/codeql.yml`)
+- Dependency updates via Dependabot (`.github/dependabot.yml`) for NuGet & GitHub Actions (daily)
+
+Recommended next enhancements:
+
+- Enforce status checks (tests, CodeQL) before merge
+- Add branch protection & required reviews
+- Gate plugin deployment with a manual approval job
 
 ## 🗺️ Roadmap (Ideas)