ci: add CodeQL, OWASP dependency-check, JaCoCo coverage, and README badges

- CodeQL SAST on push/PR/weekly schedule
- OWASP dependency-check on push/weekly, uploads SARIF to Security tab
- JaCoCo coverage report wired into CI verify phase
- Codecov upload step in CI workflow
- README badges: CI, CodeQL, Codecov, Maven Central, License

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: MoshPe

.github/workflows/ci.yml

@@ -26,3 +26,10 @@ jobs:
               --no-transfer-progress \
               clean verify \
               -Dgpg.skip=true
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: streamfence-core/target/site/jacoco/jacoco.xml
+          flags: unittests
+          fail_ci_if_error: false

.github/workflows/codeql.yml

@@ -0,0 +1,46 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '23 7 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze (Java)
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Java 25
+        uses: actions/setup-java@v4
+        with:
+          java-version: '25'
+          distribution: 'temurin'
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: java
+          queries: security-and-quality
+
+      - name: Build
+        run: |
+          mvn -pl streamfence-core \
+              --no-transfer-progress \
+              clean compile \
+              -Dgpg.skip=true
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:java

.github/workflows/dependency-check.yml

@@ -0,0 +1,52 @@
+name: Dependency Check
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '41 6 * * 1'
+
+jobs:
+  owasp:
+    name: OWASP Dependency Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Java 25
+        uses: actions/setup-java@v4
+        with:
+          java-version: '25'
+          distribution: 'temurin'
+
+      - name: Run OWASP Dependency Check
+        run: |
+          mvn -pl streamfence-core \
+              --no-transfer-progress \
+              org.owasp:dependency-check-maven:check \
+              -Dgpg.skip=true \
+              -DfailBuildOnCVSS=7 \
+              -DsuppressionFile=.github/dependency-check-suppressions.xml \
+              -Dformats=HTML,SARIF \
+              -DoutputDirectory=target/dependency-check
+        continue-on-error: true
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: streamfence-core/target/dependency-check/dependency-check-report.sarif
+          category: dependency-check
+
+      - name: Upload HTML report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: dependency-check-report
+          path: streamfence-core/target/dependency-check/dependency-check-report.html
+          retention-days: 30

README.md

@@ -1,5 +1,11 @@
 # StreamFence - Embeddable Java Socket.IO Server Library
 
+[![CI](https://github.com/MoshPe/StreamFence/actions/workflows/ci.yml/badge.svg)](https://github.com/MoshPe/StreamFence/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/MoshPe/StreamFence/actions/workflows/codeql.yml/badge.svg)](https://github.com/MoshPe/StreamFence/actions/workflows/codeql.yml)
+[![codecov](https://codecov.io/gh/MoshPe/StreamFence/branch/main/graph/badge.svg)](https://codecov.io/gh/MoshPe/StreamFence)
+[![Maven Central](https://img.shields.io/maven-central/v/io.github.moshpe/streamfence-core.svg)](https://central.sonatype.com/artifact/io.github.moshpe/streamfence-core)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
+
 ## Why StreamFence
 
 `StreamFence` is an embeddable Java Socket.IO server library built on `netty-socketio` for teams that need live topic delivery with bounded memory, explicit backpressure behavior, and optional reliable delivery.

pom.xml

@@ -55,6 +55,7 @@
         <maven.source.version>3.3.1</maven.source.version>
         <maven.javadoc.version>3.11.2</maven.javadoc.version>
         <exec-maven-plugin.version>3.6.1</exec-maven-plugin.version>
+        <jacoco.version>0.8.12</jacoco.version>
     </properties>
 
     <developers>
@@ -195,6 +196,12 @@
                     </configuration>
                 </plugin>
 
+                <plugin>
+                    <groupId>org.jacoco</groupId>
+                    <artifactId>jacoco-maven-plugin</artifactId>
+                    <version>${jacoco.version}</version>
+                </plugin>
+
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-gpg-plugin</artifactId>

streamfence-core/pom.xml

@@ -112,6 +112,27 @@
                 </executions>
             </plugin>
 
+            <!-- JaCoCo Code Coverage -->
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>prepare-agent</id>
+                        <goals>
+                            <goal>prepare-agent</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>report</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>report</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+
             <!-- Sources JAR -->
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>