Add CI/CD workflows and security policy

.github/workflows/lint.yml

@@ -0,0 +1,63 @@
+# Check code style and formatting
+name: Lint
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    
+    steps:
+      # 1. Get the code
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      # 2. Set up Python
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      
+      # 3. Install linting tools
+      - name: Install linters
+        run: |
+          python -m pip install --upgrade pip
+          pip install ruff black
+      
+      # 4. Run ruff (fast linter - catches bugs and style issues)
+      - name: Run ruff
+        run: |
+          ruff check src/ tests/ frontends/
+      
+      # 5. Check black formatting (doesn't modify, just checks)
+      - name: Check black formatting
+        run: |
+          black --check src/ tests/ frontends/
+
+  # Type checking (optional but helpful)
+  typecheck:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+          pip install mypy
+      
+      - name: Run mypy
+        run: |
+          mypy src/stegasoo --ignore-missing-imports
+        continue-on-error: true  # Don't fail build on type errors (yet)

.github/workflows/release.yml

@@ -0,0 +1,95 @@
+# Publish to PyPI when a version tag is pushed
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'  # Triggers on v1.0.0, v2.1.0, etc.
+
+jobs:
+  # First, run tests to make sure everything works
+  test:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libzbar0
+      
+      - name: Install package
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+      
+      - name: Run tests
+        run: pytest
+
+  # Then build and publish
+  publish:
+    needs: test  # Only run if tests pass
+    runs-on: ubuntu-latest
+    
+    # Required for PyPI trusted publishing (recommended)
+    permissions:
+      id-token: write
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      
+      - name: Install build tools
+        run: |
+          python -m pip install --upgrade pip
+          pip install build twine
+      
+      - name: Build package
+        run: python -m build
+      
+      - name: Check package
+        run: twine check dist/*
+      
+      # Option 1: Trusted Publishing (recommended, no token needed)
+      # Set this up at: https://pypi.org/manage/project/stegasoo/settings/publishing/
+      - name: Publish to PyPI (Trusted Publishing)
+        uses: pypa/gh-action-pypi-publish@release/v1
+        # No token needed if you configure trusted publishing on PyPI
+      
+      # Option 2: API Token (uncomment if not using trusted publishing)
+      # - name: Publish to PyPI (API Token)
+      #   env:
+      #     TWINE_USERNAME: __token__
+      #     TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+      #   run: twine upload dist/*
+
+  # Create GitHub Release with changelog
+  github-release:
+    needs: publish
+    runs-on: ubuntu-latest
+    
+    permissions:
+      contents: write  # Needed to create releases
+    
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          generate_release_notes: true
+          files: |
+            dist/*

.github/workflows/test.yml

@@ -0,0 +1,53 @@
+# Run tests on every push and pull request
+name: Tests
+
+on:
+  push:
+    branches: [main, master, develop]
+  pull_request:
+    branches: [main, master, develop]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    
+    strategy:
+      fail-fast: false  # Don't cancel other jobs if one fails
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+    
+    steps:
+      # 1. Get the code
+      - name: Checkout code
+        uses: actions/checkout@v4
+      
+      # 2. Set up Python
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      
+      # 3. Install system dependencies (for pyzbar QR reading)
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libzbar0
+      
+      # 4. Install the package with all dependencies
+      - name: Install package
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e ".[dev]"
+      
+      # 5. Run tests with coverage
+      - name: Run tests
+        run: |
+          pytest --cov=stegasoo --cov-report=xml --cov-report=term-missing
+      
+      # 6. Upload coverage report (optional - integrates with codecov.io)
+      - name: Upload coverage
+        uses: codecov/codecov-action@v4
+        if: matrix.python-version == '3.11'  # Only upload once
+        with:
+          files: ./coverage.xml
+          fail_ci_if_error: false  # Don't fail if codecov is down