ci: add .NET 6/8 + net46 CI/CD, quality gates, commitlint, release with TFM verification; owners/protection docs

Author: ooples

.github/BRANCH_PROTECTION.md

@@ -0,0 +1,19 @@
+# Branch Protection Guidance for AiDotNet
+
+We recommend enabling branch protection on `master` with these required status checks:
+
+- CI (.NET) / Lint and Format Check
+- CI (.NET) / Build
+- CI (.NET) / Test (.NET 8.0.x)
+- CI (.NET) / Integration Tests
+- CI (.NET) / All Checks Passed
+- Quality Gates (.NET) / Publish Size Analysis
+- Commit Message Lint / commitlint
+
+Also enable:
+- Require pull request reviews (e.g., 1–2 approvals)
+- Dismiss stale approvals on new commits (optional)
+- Require status checks to pass before merging
+- Require branches to be up to date before merging
+
+Note: The exact names shown in GitHub’s UI may include the workflow/job prefixes. Use the checks as they appear on a PR to configure the protection rules.

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# CODEOWNERS for AiDotNet
+# Update these handles to your actual maintainers/teams.
+# Lines are of the form:  <pattern>  <owner1> <owner2>
+
+* @cheat  # TODO: replace with your org/team, e.g. @ooples/core or @ooples/ai-team
+

.github/WORKFLOW_SECRETS.md

@@ -0,0 +1,15 @@
+# Workflow Secrets for AiDotNet CI/CD
+
+Set these GitHub repository secrets (Settings → Secrets and variables → Actions → New repository secret):
+
+- `CODECOV_TOKEN`: Codecov upload token
+  - Used by: `.github/workflows/ci.yml` (coverage upload)
+
+- `NUGET_API_KEY`: NuGet API key for publishing packages
+  - Used by: `.github/workflows/release.yml` (publish to NuGet)
+
+Important:
+- Do NOT commit secrets to the repository.
+- These secrets may be shared across multiple repos; after rollout here, update other repos to ensure consistency.
+- If rotating keys, update all dependent repos’ secrets simultaneously to avoid broken pipelines.
+

.github/workflows/ci.yml

@@ -0,0 +1,181 @@
+name: CI (.NET)
+
+on:
+  pull_request:
+    branches: [ master ]
+  push:
+    branches: [ master ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint-and-format:
+    name: Lint and Format Check
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 8.0.x
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore
+run: dotnet restore AiDotNet.sln
+      - name: Verify code style (dotnet format)
+        run: |
+          dotnet tool update -g dotnet-format || dotnet tool install -g dotnet-format
+          export PATH="$PATH:$HOME/.dotnet/tools"
+          dotnet format AiDotNet.sln --verify-no-changes || (echo "Run 'dotnet format' locally to fix style issues." && exit 1)
+build:
+  name: Build
+  strategy:
+    matrix:
+      dotnet: ['6.0.x', '8.0.x']
+    fail-fast: false
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 8.0.x
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore
+run: dotnet restore AiDotNet.sln
+      - name: Build
+        run: dotnet build AiDotNet.sln --configuration Release --no-restore
+
+      - name: Publish core library (sanity)
+        run: |
+          if [ -f "src/AiDotNet.csproj" ]; then
+            dotnet publish src/AiDotNet.csproj -c Release -o out
+          else
+            echo "AiDotNet.csproj not found, skipping publish sanity"
+          fi
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: build-${{ github.sha }}
+          path: |
+            out/
+            **/bin/Release/
+          if-no-files-found: ignore
+          retention-days: 7
+
+  test:
+    name: Test (.NET ${{ matrix.dotnet }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        dotnet: ['6.0.x', '8.0.x']
+      fail-fast: false
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 8.0.x
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore
+run: dotnet restore AiDotNet.sln
+      - name: Run tests with coverage
+        run: |
+          dotnet test AiDotNet.sln --configuration Release --collect:"XPlat Code Coverage" --results-directory ./TestResults
+
+      - name: Upload coverage to Codecov (only uploads if secret set)\n        uses: codecov/codecov-action@v4
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: |
+            ./TestResults/**/coverage.cobertura.xml
+          flags: unittests
+          fail_ci_if_error: false
+
+  integration-test:
+    name: Integration Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: build
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup .NET 8.0.x
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Run integration console (if present)
+        run: |
+          if [ -f "testconsole/AiDotNetTestConsole.csproj" ]; then
+            dotnet run -c Release -p testconsole/AiDotNetTestConsole.csproj || exit 1
+          else
+            echo "No integration console project found; skipping"
+          fi
+
+  status-check:
+    name: All Checks Passed
+    runs-on: ubuntu-latest
+    if: always()
+    needs: [lint-and-format, build, build-netfx, test, integration-test]
+    steps:
+      - name: Verify job outcomes
+        run: |
+          [ "${{ needs.lint-and-format.result }}" = "success" ] || (echo "Lint/format failed" && exit 1)
+          [ "${{ needs.build.result }}" = "success" ] || (echo "Build failed" && exit 1)
+          [ "${{ needs.test.result }}" = "success" ] || (echo "Tests failed" && exit 1)
+          [ "${{ needs.integration-test.result }}" = "success" ] || (echo "Integration tests failed" && exit 1)
+          echo "All checks passed!"
+
+
+
+
+
+
+
+  build-netfx:
+    name: Build (.NET Framework 4.6)
+    runs-on: windows-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup .NET SDK
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Restore
+        shell: pwsh
+        run: |
+          dotnet restore
+
+      - name: Build (Windows MSBuild)
+        shell: pwsh
+        run: |
+          # Build all projects; if multi-targeting includes net46, MSBuild will build it on Windows
+          dotnet build -c Release --no-restore
+
+      - name: Upload netfx build artifacts
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: netfx-build-${{ github.sha }}
+          path: |
+            **/bin/Release/
+          if-no-files-found: ignore
+          retention-days: 7
+
+

.github/workflows/commitlint.yml

@@ -0,0 +1,19 @@
+name: Commit Message Lint
+
+on:
+  pull_request:
+  pull_request_target:
+
+jobs:
+  commitlint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the PR
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Lint commits
+        uses: wagoid/commitlint-github-action@v6
+        with:
+          configFile: ''
+

.github/workflows/quality-gates.yml

@@ -0,0 +1,78 @@
+name: Quality Gates (.NET)
+
+on:
+  pull_request:
+    branches: [ master ]
+  push:
+    branches: [ master ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  artifact-size:
+    name: Publish Size Analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 8.0.x
+
+      - name: Publish library
+        run: |
+          if [ -f "src/AiDotNet.csproj" ]; then
+            dotnet publish src/AiDotNet.csproj -c Release -o publish
+          else
+            # fallback: publish all projects in src
+            for p in src/*.csproj; do dotnet publish "$p" -c Release -o publish || true; done
+          fi
+
+      - name: Analyze size vs baseline
+        id: size
+        run: |
+          CURRENT_SIZE=$(du -sb publish | cut -f1)
+          CURRENT_MB=$(echo "scale=2; $CURRENT_SIZE/1024/1024" | bc)
+          echo "current_size=$CURRENT_SIZE" >> $GITHUB_OUTPUT
+          echo "current_mb=$CURRENT_MB" >> $GITHUB_OUTPUT
+          echo "Current publish size: ${CURRENT_MB} MB"
+
+          BASELINE_FILE=".github/artifact-size-baseline.txt"
+          if [ ! -f "$BASELINE_FILE" ]; then
+            echo "$CURRENT_SIZE" > "$BASELINE_FILE"
+            echo "baseline_exists=false" >> $GITHUB_OUTPUT
+            echo "Created baseline (${CURRENT_MB} MB)"
+            exit 0
+          fi
+
+          BASELINE=$(cat "$BASELINE_FILE")
+          BASELINE_MB=$(echo "scale=2; $BASELINE/1024/1024" | bc)
+          CHANGE=$(echo "scale=2; (($CURRENT_SIZE - $BASELINE) * 100) / $BASELINE" | bc)
+          echo "baseline_exists=true" >> $GITHUB_OUTPUT
+          echo "baseline_mb=$BASELINE_MB" >> $GITHUB_OUTPUT
+          echo "percent_change=$CHANGE" >> $GITHUB_OUTPUT
+          echo "Size change: ${CHANGE}% (baseline ${BASELINE_MB} MB)"
+
+          if (( $(echo "$CHANGE > 5" | bc -l) )); then
+            echo "Error: publish size increased by ${CHANGE}% (> +5%)"
+            exit 1
+          fi
+
+      - name: Upload size report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: publish-size-${{ github.sha }}
+          path: |
+            publish/
+            .github/artifact-size-baseline.txt
+          if-no-files-found: ignore
+          retention-days: 7
+