Release: Merge dev into main

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @DrWheelicus

.github/workflows/python-app.yml

@@ -5,6 +5,7 @@ on:
     branches: ["main"]
   pull_request:
     branches: ["**"]
+  workflow_call:  # Allow this workflow to be called by other workflows
 
 permissions:
   contents: read
@@ -76,4 +77,29 @@ jobs:
         uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
-          slug: DrWheelicus/encoderize
+          slug: DrWheelicus/encoderize
+
+  build_package:
+    runs-on: ubuntu-latest
+    needs: lint_and_test
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: Install build dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/

.github/workflows/release.yml

@@ -0,0 +1,50 @@
+name: Release to PyPI
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  # Reuse the existing CI workflow for testing and building
+  ci:
+    uses: ./.github/workflows/python-app.yml
+    secrets: inherit
+
+  publish-pypi:
+    needs: ci
+    runs-on: ubuntu-latest
+    environment:
+      name: Main Deployment
+      url: https://pypi.org/project/encoderize/
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1
+
+  github-release:
+    needs: [ci, publish-pypi]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
+        with:
+          generate_release_notes: true
+          files: dist/*

.gitignore

@@ -19,6 +19,7 @@ __pycache__/
 .idea/
 
 output_*/
+svg_out*/
 
 .pytest_cache/
 
@@ -30,4 +31,11 @@ htmlcov/
 dist/
 build/
 
-
+# Editor files
+.cursor/
+.vscode/
+.idea/
+.DS_Store
+.env
+.env.*
+!.env.example

CONTRIBUTING.md

@@ -43,6 +43,45 @@ This section guides you through submitting an enhancement suggestion for Encoder
 - Use `black` for code formatting.
 - Use `flake8` for linting.
 
+## Releasing (Maintainers)
+
+Releases are automated via GitHub Actions. To create a new release:
+
+1. **Update the version** in `encoderize/__init__.py`:
+   ```python
+   __version__ = "0.2.0"  # Use semantic versioning
+   ```
+
+2. **Commit the version bump**:
+   ```bash
+   git add encoderize/__init__.py
+   git commit -m "chore: bump version to 0.2.0"
+   git push
+   ```
+
+3. **Create and push a tag** (must match the version with a `v` prefix):
+   ```bash
+   git tag v0.2.0
+   git push --tags
+   ```
+
+4. The release workflow will automatically:
+   - Run tests to ensure everything passes
+   - Build the package (sdist and wheel)
+   - Publish to PyPI
+   - Create a GitHub Release with auto-generated release notes
+
+### First-Time Setup (PyPI Trusted Publishing)
+
+Before the first automated release, a maintainer must configure trusted publishing on PyPI:
+
+1. Go to https://pypi.org/manage/project/encoderize/settings/publishing/
+2. Add a new publisher with:
+   - Owner: `DrWheelicus`
+   - Repository: `encoderize`
+   - Workflow name: `release.yml`
+   - Environment name: `Main Deployment`
+
 ## Any questions?
 
 Feel free to reach out if you have questions about contributing. 

README.md

@@ -1,8 +1,16 @@
-[![codecov](https://codecov.io/gh/DrWheelicus/encoderize/graph/badge.svg?token=QPQMGU1G01)](https://codecov.io/gh/DrWheelicus/encoderize) [![PyPI](https://badge.fury.io/py/encoderize.svg)](https://badge.fury.io/py/encoderize) [![Downloads](https://pepy.tech/badge/encoderize)](https://pepy.tech/project/encoderize)
+<p align="center">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="assets/docs/Transparent Logo Dark.png">
+    <source media="(prefers-color-scheme: light)" srcset="assets/docs/Transparent Logo.png">
+    <img src="assets/docs/Transparent Logo.png" alt="Encoderize Logo" width="300">
+  </picture>
+</p>
 
-<h1 align="center">
-Encoderize
-</h1>
+<p align="center">
+  <a href="https://codecov.io/gh/DrWheelicus/encoderize"><img src="https://codecov.io/gh/DrWheelicus/encoderize/graph/badge.svg?token=QPQMGU1G01" alt="codecov"></a>
+  <a href="https://badge.fury.io/py/encoderize"><img src="https://badge.fury.io/py/encoderize.svg" alt="PyPI"></a>
+  <a href="https://pepy.tech/project/encoderize"><img src="https://pepy.tech/badge/encoderize" alt="Downloads"></a>
+</p>
 
 <p align="center">
 A Python package for generating various visual representations of text in SVG format.

SECURITY.md

@@ -0,0 +1,125 @@
+# Security Policy
+
+## Supported Versions
+
+I release patches for security vulnerabilities in the following versions:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.2.x   | :white_check_mark: |
+| < 0.2   | :x:                |
+
+## Reporting a Vulnerability
+
+I take the security of Encoderize seriously. If you believe you have found a security vulnerability, please report it as described below.
+
+### How to Report
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via email to:
+
+**[haydenpmac@gmail.com](mailto:haydenpmac@gmail.com)**
+
+Include the following information in your report:
+
+- Type of vulnerability (e.g., code injection, path traversal, arbitrary file write)
+- Full paths of source file(s) related to the manifestation of the vulnerability
+- The location of the affected source code (tag/branch/commit or direct URL)
+- Any special configuration required to reproduce the issue
+- Step-by-step instructions to reproduce the issue
+- Proof-of-concept or exploit code (if possible)
+- Impact of the vulnerability, including how an attacker might exploit it
+
+### What to Expect
+
+After you submit a report, you should expect:
+
+- **Acknowledgment within 48 hours**: I'll confirm receipt of your vulnerability report
+- **Regular updates**: I'll keep you informed about my progress
+- **Timeline**: I aim to resolve critical vulnerabilities within 7 days
+- **Credit**: I'll acknowledge your responsible disclosure in the fix announcement (unless you prefer to remain anonymous)
+
+## Security Best Practices
+
+### For Users
+
+When using Encoderize, please follow these security best practices:
+
+1. **Validate Input**: Always validate and sanitize text input before passing it to Encoderize functions
+2. **File Permissions**: Be mindful of output directory permissions when generating SVG files
+3. **Dependency Management**: Keep Encoderize and its dependencies up to date:
+   ```bash
+   pip install --upgrade encoderize
+   ```
+4. **Ghostscript Security**: Keep Ghostscript updated, as it's a critical dependency for barcode generation
+
+### For Contributors
+
+If you're contributing to Encoderize:
+
+1. **Code Review**: All code changes are reviewed before merging
+2. **Dependency Updates**: Report any outdated dependencies with known vulnerabilities
+3. **Input Validation**: Ensure all user input is properly validated and sanitized
+4. **Path Traversal**: Verify that file operations prevent directory traversal attacks
+5. **Testing**: Write security tests for any input handling or file operations
+
+## Known Security Considerations
+
+### File System Operations
+
+Encoderize writes SVG files to disk. Users should:
+
+- Ensure output directories have appropriate permissions
+- Be cautious when specifying output paths
+- Validate that generated files are placed in expected locations
+
+### Ghostscript Dependency
+
+The `code128_barcode` generator requires Ghostscript, which has had security vulnerabilities in the past:
+
+- Always use the latest version of Ghostscript
+- Be aware that barcode generation executes external Ghostscript processes
+- Consider security implications in server environments
+
+### Input Sanitization
+
+While Encoderize primarily generates visual representations and doesn't execute code:
+
+- Long input strings may cause performance issues
+- Special characters are processed but should be validated by applications
+- SVG output should be treated as user-generated content if serving on web applications
+
+## Security Update Process
+
+When a security vulnerability is confirmed:
+
+1. **Private Fix**: I'll develop a fix in a private repository
+2. **Testing**: The fix will be thoroughly tested
+3. **Release**: A new version will be released with the security fix
+4. **Notification**: Security advisories will be published on GitHub
+5. **Documentation**: CHANGELOG and release notes will document the fix
+
+## Disclosure Policy
+
+- **Coordinated Disclosure**: I practice coordinated disclosure
+- **Public Disclosure**: Security issues will be publicly disclosed after a fix is available
+- **Security Advisories**: Critical vulnerabilities will have GitHub Security Advisories created
+- **CVE Assignment**: I'll work to obtain CVE identifiers for significant vulnerabilities
+
+## Additional Resources
+
+- [Python Security Best Practices](https://python.readthedocs.io/en/stable/library/security_warnings.html)
+- [OWASP Python Security](https://owasp.org/www-project-python-security/)
+- [GitHub Security Advisories](https://github.com/DrWheelicus/encoderize/security/advisories)
+
+## Contact
+
+For security-related questions or concerns, contact:
+
+**Hayden MacIntyre**  
+Email: [haydenpmac@gmail.com](mailto:haydenpmac@gmail.com)
+
+---
+
+Thank you for helping keep Encoderize and its users safe!

setup.py

@@ -1,8 +1,13 @@
+import re
 from setuptools import setup, find_packages
 
+# Read version from encoderize/__init__.py (single source of truth)
+with open("encoderize/__init__.py", "r") as f:
+    version = re.search(r'__version__ = "([^"]+)"', f.read()).group(1)
+
 setup(
     name="encoderize",
-    version="0.1.0",
+    version=version,
     keywords="encoderize, encoder, barcode, svg, visualizer",
     packages=find_packages(),
     install_requires=[