feat: add CLA Assistant and Scorecard configuration (#579)

- Add CLA Assistant workflow using DCO (Developer Certificate of Origin)
- Add .scorecard.yml with annotations explaining legitimate binary artifacts
- Create signatures/cla.json to store CLA signatures

The CLA workflow integrates with existing DCO requirements and provides
a better contributor experience with automated signature tracking.

The Scorecard configuration documents why binary artifacts (HybridCLR,
YooAsset bundles, AOT DLLs) are required for this Unity framework and
cannot be removed.

Signed-off-by: Jason Xu <jasonxudeveloper@gmail.com>
Signed-off-by: JasonXuDeveloper - 傑 <jason@xgamedev.net>

Author: JasonXuDeveloper

.github/workflows/cla.yml

@@ -0,0 +1,47 @@
+name: CLA Assistant
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+# Explicit permissions following least-privilege principle
+permissions: read-all
+
+jobs:
+  cla:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
+      pull-requests: write
+      statuses: write
+    if: |
+      (github.event_name == 'pull_request_target') ||
+      (github.event_name == 'issue_comment' && github.event.issue.pull_request && github.event.comment.body == 'recheck')
+    steps:
+      - name: CLA Assistant
+        uses: contributor-assistant/github-action@v2.6.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          # Use Developer Certificate of Origin (same as existing DCO check)
+          path-to-document: 'https://developercertificate.org/'
+          # Store signatures in the repository
+          path-to-signatures: 'signatures/cla.json'
+          branch: 'master'
+          # Allowlist for bots that don't need to sign
+          allowlist: 'bot*,*[bot],dependabot*,github-actions*,jengine-release-bot*'
+          # Custom messages
+          custom-notsigned-prcomment: |
+            Thank you for your contribution! Before we can merge this PR, we need you to sign the [Developer Certificate of Origin](https://developercertificate.org/).
+
+            **To sign, please reply with the following comment:**
+            ```
+            I have read the Developer Certificate of Origin and I hereby sign the DCO
+            ```
+
+            You can also sign all future contributions by adding `Signed-off-by: Your Name <your.email@example.com>` to your commit messages (use `git commit -s`).
+          custom-pr-sign-comment: 'I have read the Developer Certificate of Origin and I hereby sign the DCO'
+          custom-allsigned-prcomment: 'All contributors have signed the DCO. Thank you!'

.scorecard.yml

@@ -0,0 +1,27 @@
+# OpenSSF Scorecard Configuration
+# See https://github.com/ossf/scorecard/blob/main/docs/config.md
+
+annotations:
+  # Binary artifacts that are required for Unity framework functionality
+  - checks:
+      - binary-artifacts
+    reasons:
+      - reason: not-applicable
+        annotation: |
+          JEngine is a Unity hot-update framework that requires certain binary files:
+
+          1. HybridCLR Plugin (com.code-philosophy.hybridclr):
+             - Native DLLs for IL2CPP hot-update functionality
+             - Required for runtime C# code execution
+
+          2. YooAsset Bundles (Assets/StreamingAssets/yoo):
+             - Pre-built asset bundles for sample project
+             - Demonstrate framework capabilities
+
+          3. AOT Compiled DLLs (Assets/HotUpdate/Compiled/AOT):
+             - Unity engine module references
+             - Required for IL2CPP builds
+
+          These binaries are from trusted sources (Unity, HybridCLR) and are
+          essential for the framework to function. They cannot be built from
+          source as they are platform-specific Unity artifacts.

signatures/cla.json

@@ -0,0 +1 @@
+{"signedContributors": []}