Add CPM, analyzers, SourceLink, format check, coverage report, SBOM, attestation, and community files

- Central Package Management via Directory.Packages.props
- AnalysisLevel latest-recommended + EnforceCodeStyleInBuild
- SourceLink properties (PublishRepositoryUrl, EmbedUntrackedSources)
- NUKE Format target with dotnet format --verify-no-changes
- GenerateDocumentationFile for packable projects (in targets)
- Dynamic NuGet metadata from GITHUB_REPOSITORY env var
- CoverageReport NUKE target using ReportGenerator
- Migrate dotnet-tools.json to .config/ convention path
- Add dotnet-reportgenerator-globaltool to tool manifest
- SBOM generation (anchore/sbom-action) in release job
- Artifact attestation (actions/attest-build-provenance) in release job
- PR template and issue templates (bug-report, feature-request)
- Fix Publish target missing DependsOn(Restore)
- Fix sample code for new analyzer rules (static class, XML docs)
- Add tests/.editorconfig to suppress CA1707 for test naming

Made-with: Cursor

Author: Hongwei-MB

dotnet-tools.json .config/dotnet-tools.jsondotnet-tools.json renamed to .config/dotnet-tools.json

@@ -8,6 +8,13 @@
         "docfx"
       ],
       "rollForward": false
+    },
+    "dotnet-reportgenerator-globaltool": {
+      "version": "5.4.5",
+      "commands": [
+        "reportgenerator"
+      ],
+      "rollForward": false
     }
   }
-}
+}

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -0,0 +1,42 @@
+name: Bug Report
+description: Report a bug or unexpected behavior
+labels: [bug]
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: A clear description of the bug.
+    validations:
+      required: true
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: Steps to reproduce the behavior.
+      placeholder: |
+        1. Run '...'
+        2. See error
+    validations:
+      required: true
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What you expected to happen.
+    validations:
+      required: true
+  - type: input
+    id: version
+    attributes:
+      label: Version
+      description: Which version are you using?
+      placeholder: e.g. 0.2.0
+  - type: textarea
+    id: environment
+    attributes:
+      label: Environment
+      description: OS, .NET SDK version, and any other relevant details.
+      placeholder: |
+        OS: Ubuntu 24.04
+        .NET SDK: 10.0.103

.github/ISSUE_TEMPLATE/feature-request.yml

@@ -0,0 +1,23 @@
+name: Feature Request
+description: Suggest a new feature or improvement
+labels: [enhancement]
+body:
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem
+      description: What problem does this feature solve?
+    validations:
+      required: true
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: Describe the desired behavior or approach.
+    validations:
+      required: true
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Any alternative solutions or workarounds you have considered.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,12 @@
+## Summary
+
+<!-- Brief description of what this PR does and why -->
+
+## Changes
+
+- 
+
+## Test Plan
+
+- [ ] Tests pass locally
+- [ ] No new warnings introduced

.github/workflows/ci.yml

@@ -183,13 +183,20 @@ jobs:
       - uses: actions/cache@v5
         with:
           path: ~/.nuget/packages
-          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', 'global.json', 'dotnet-tools.json') }}
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/*.csproj', 'global.json', '.config/dotnet-tools.json') }}
           restore-keys: ${{ runner.os }}-nuget-
 
       - name: Install .NET workloads
         if: matrix.workloads != ''
         run: dotnet workload install ${{ matrix.workloads }}
 
+      - name: Check code format
+        if: matrix.runtime == 'linux-x64'
+        shell: bash
+        run: |
+          chmod +x build.sh
+          ./build.sh Format
+
       - name: Build and test
         if: runner.os != 'Windows'
         shell: bash
@@ -293,6 +300,8 @@ jobs:
     environment: release
     permissions:
       contents: write
+      attestations: write
+      id-token: write
     concurrency:
       group: release-tag-${{ needs.resolve-version.outputs.tag }}
       cancel-in-progress: false
@@ -392,6 +401,20 @@ jobs:
         shell: bash
         run: echo "::warning::NUGET_API_KEY not configured. Skipping NuGet push."
 
+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: sbom-spdx.json
+          output-file: sbom-spdx.json
+          format: spdx-json
+
+      - name: Attest build provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            packages/*.nupkg
+            installers/*.zip
+
       - name: Create and push tag
         shell: bash
         run: |
@@ -432,7 +455,12 @@ jobs:
             exit 1
           fi
 
-          gh release create "$TAG" "${RELEASE_FILES[@]}" \
+          SBOM_FILE=""
+          if [ -f "sbom-spdx.json" ]; then
+            SBOM_FILE="sbom-spdx.json"
+          fi
+
+          gh release create "$TAG" "${RELEASE_FILES[@]}" $SBOM_FILE \
             --title "$RELEASE_NAME" \
             --generate-notes
           echo "Created release $TAG with ${#RELEASE_FILES[@]} assets"

Directory.Build.props

@@ -5,8 +5,13 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
+    <AnalysisLevel>latest-recommended</AnalysisLevel>
+    <EnforceCodeStyleInBuild>true</EnforceCodeStyleInBuild>
+    <PublishRepositoryUrl>true</PublishRepositoryUrl>
+    <EmbedUntrackedSources>true</EmbedUntrackedSources>
   </PropertyGroup>
 
+
   <!-- Explicit version: single source of truth for the entire solution.
        Bump this value via PR when preparing a new release. -->
   <PropertyGroup>

Directory.Build.targets

@@ -5,4 +5,16 @@
     <ContinuousIntegrationBuild>true</ContinuousIntegrationBuild>
   </PropertyGroup>
 
+  <!-- Generate XML documentation for packable projects only -->
+  <PropertyGroup Condition="'$(IsPackable)' != 'false'">
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+  </PropertyGroup>
+
+  <!-- Populate NuGet package metadata from GitHub environment variables -->
+  <PropertyGroup Condition="'$(GITHUB_REPOSITORY)' != '' AND '$(RepositoryUrl)' == ''">
+    <RepositoryUrl>https://github.com/$(GITHUB_REPOSITORY)</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+    <PackageProjectUrl>https://github.com/$(GITHUB_REPOSITORY)</PackageProjectUrl>
+  </PropertyGroup>
+
 </Project>

Directory.Packages.props

@@ -0,0 +1,17 @@
+<Project>
+
+  <PropertyGroup>
+    <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <!-- Build tooling -->
+    <PackageVersion Include="Nuke.Common" Version="10.1.0" />
+    <!-- Testing -->
+    <PackageVersion Include="coverlet.collector" Version="8.0.0" />
+    <PackageVersion Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
+    <PackageVersion Include="xunit" Version="2.9.3" />
+    <PackageVersion Include="xunit.runner.visualstudio" Version="3.1.5" />
+  </ItemGroup>
+
+</Project>

build/BuildTask.Parameters.cs

@@ -35,6 +35,6 @@ partial class BuildTask
 
     AbsolutePath ReleaseManifestFile => PackagesDirectory / "release-manifest.json";
     AbsolutePath BuildOutputsMarkerFile => ArtifactsDirectory / ".build-outputs" / "build-outputs.json";
-    AbsolutePath ToolManifestFile => RootDirectory / "dotnet-tools.json";
+    AbsolutePath ToolManifestFile => RootDirectory / ".config" / "dotnet-tools.json";
     AbsolutePath DirectoryBuildPropsFile => RootDirectory / "Directory.Build.props";
 }

build/BuildTask.Targets.CoverageReport.cs

@@ -0,0 +1,34 @@
+using System;
+using System.Linq;
+using Nuke.Common;
+using Nuke.Common.IO;
+using Nuke.Common.Tools.DotNet;
+using static Nuke.Common.Tools.DotNet.DotNetTasks;
+
+partial class BuildTask
+{
+    Target CoverageReport => _ => _
+        .DependsOn(Test)
+        .Executes(() =>
+        {
+            var coverageFiles = TestResultsDirectory.GlobFiles("**/coverage.cobertura.xml");
+            if (!coverageFiles.Any())
+            {
+                Console.WriteLine("No coverage files found. Skipping report generation.");
+                return;
+            }
+
+            var reportDir = TestResultsDirectory / "coverage-report";
+            var reports = string.Join(";", coverageFiles);
+
+            DotNet(
+                $"reportgenerator " +
+                $"-reports:{reports} " +
+                $"-targetdir:{reportDir} " +
+                $"-reporttypes:Cobertura;HtmlSummary " +
+                $"-assemblyfilters:-*.Tests",
+                workingDirectory: RootDirectory);
+
+            Console.WriteLine($"Coverage report generated at: {reportDir}");
+        });
+}