{"id":34232252,"url":"https://github.com/hack23/game","last_synced_at":"2026-04-16T03:02:26.719Z","repository":{"id":295029007,"uuid":"988850213","full_name":"Hack23/game","owner":"Hack23","description":"A clean, minimal template for building games with React, TypeScript, Three.js, and Vite - built with security-first principles.","archived":false,"fork":false,"pushed_at":"2026-04-12T08:40:22.000Z","size":22487,"stargazers_count":11,"open_issues_count":0,"forks_count":5,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-13T17:39:49.480Z","etag":null,"topics":["codespace","copilot-enabled","cypress","devsecops","game","game-boilerplate","javascript","lighthouse","nodejs","react","reactjs","secure-by-design","template-project","three-js","threejs","typescript","vite","zap"],"latest_commit_sha":null,"homepage":"https://hack23.github.io/game/","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Hack23.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-05-23T07:06:38.000Z","updated_at":"2026-04-12T08:40:24.000Z","dependencies_parsed_at":"2026-02-26T04:05:51.539Z","dependency_job_id":null,"html_url":"https://github.com/Hack23/game","commit_stats":null,"previous_names":["hack23/game"],"tags_count":67,"template":true,"template_full_name":null,"purl":"pkg:github/Hack23/game","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hack23%2Fgame","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hack23%2Fgame/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hack23%2Fgame/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hack23%2Fgame/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Hack23","download_url":"https://codeload.github.com/Hack23/game/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Hack23%2Fgame/sbom","scorecard":{"id":10542,"data":{"date":"2025-08-14T12:41:03Z","repo":{"name":"github.com/Hack23/game","commit":"f48cce3169ec29f4918d5c84d93b0e53e7347228"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":6.5,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/2 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Maintained","score":0,"reason":"project was created within the last 90 days. Please review its contents carefully","details":["Warn: Repository was created within the last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/labeler.yml:16","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:27","Info: jobLevel 'contents' permission set to 'read': .github/workflows/release.yml:119","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:216","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecards.yml:33","Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecards.yml:35","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30","Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecards.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test-and-report.yml:17","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/test-and-report.yml:62","Info: jobLevel 'actions' permission set to 'read': .github/workflows/test-and-report.yml:63","Info: jobLevel 'actions' permission set to 'read': .github/workflows/test-and-report.yml:105","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/test-and-report.yml:106","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/test-and-report.yml:104","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/test-and-report.yml:140","Info: jobLevel 'actions' permission set to 'read': .github/workflows/test-and-report.yml:141","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/test-and-report.yml:142","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/test-and-report.yml:181","Info: jobLevel 'actions' permission set to 'read': .github/workflows/test-and-report.yml:182","Warn: jobLevel 'checks' permission set to 'write': .github/workflows/test-and-report.yml:183","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/labeler.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/lighthouse-performance.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/release.yml:19","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/setup-labels.yml:13","Info: topLevel permissions set to 'read-all': .github/workflows/test-and-report.yml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/zap-scan.yml:13"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Pinned-Dependencies","score":9,"reason":"dependency not pinned by hash detected -- score normalized to 9","details":["Warn: npmCommand not pinned by hash: .github/workflows/test-and-report.yml:158","Warn: npmCommand not pinned by hash: .github/workflows/test-and-report.yml:47","Warn: npmCommand not pinned by hash: .github/workflows/test-and-report.yml:121","Info:  43 out of  43 GitHub-owned GitHubAction dependencies pinned","Info:  23 out of  23 third-party GitHubAction dependencies pinned","Info:   3 out of   6 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (28) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Signed-Releases","score":10,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: provenance for release artifact: game-v1.1.2.spdx.json.intoto.jsonl: https://github.com/Hack23/game/releases/tag/v1.1.2","Info: provenance for release artifact: game-v1.1.1.spdx.json.intoto.jsonl: https://github.com/Hack23/game/releases/tag/v1.1.1","Info: provenance for release artifact: game-v1.1.0.spdx.json.intoto.jsonl: https://github.com/Hack23/game/releases/tag/v1.1.0","Info: provenance for release artifact: game-v1.0.0.spdx.json.intoto.jsonl: https://github.com/Hack23/game/releases/tag/v1.0.0","Info: provenance for release artifact: game-v0.0.5.spdx.json.intoto.jsonl: https://github.com/Hack23/game/releases/tag/v0.0.5"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: 'allow deletion' enabled on branch 'main'","Warn: 'force pushes' enabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Warn: could not determine whether codeowners review is allowed","Warn: no status checks found to merge onto branch 'main'","Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"License","score":0,"reason":"license file not detected","details":["Warn: project does not have a license file"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Contributors","score":6,"reason":"project has 2 contributing companies or organizations -- score normalized to 6","details":["Info: found contributions from: Hack23, hack23"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"CI-Tests","score":10,"reason":"15 out of 15 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-08-14T14:27:21.445Z","repository_id":295029007,"created_at":"2025-08-14T14:27:21.445Z","updated_at":"2025-08-14T14:27:21.445Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31869051,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"online","status_checked_at":"2026-04-16T02:00:06.042Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["codespace","copilot-enabled","cypress","devsecops","game","game-boilerplate","javascript","lighthouse","nodejs","react","reactjs","secure-by-design","template-project","three-js","threejs","typescript","vite","zap"],"created_at":"2025-12-16T01:31:29.363Z","updated_at":"2026-04-16T03:02:26.712Z","avatar_url":"https://github.com/Hack23.png","language":"TypeScript","readme":"# Game Template\n\nA clean, minimal template for building games with React, TypeScript, Three.js, and Vite - built with **security-first principles**.\n\n## Badges\n\n[![License](https://img.shields.io/github/license/Hack23/game.svg)](https://github.com/Hack23/game/raw/master/LICENSE.md)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/Hack23/game/badge)](https://scorecard.dev/viewer/?uri=github.com/Hack23/game)\n[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/Hack23/game)\n\n## 🔒 Security Features\n\nThis template implements comprehensive security measures aligned with **[Hack23 AB's Information Security Management System (ISMS)](https://github.com/Hack23/ISMS-PUBLIC)**:\n\n### 🛡️ Supply Chain Security\n- **🛡️ OSSF Scorecard** - Automated supply chain security assessment ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **🔍 Static Analysis** - CodeQL scanning for vulnerabilities ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **📦 Dependency Protection** - Automated dependency vulnerability checks ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **📜 License Compliance** - Automated checking of dependency licenses (MIT, Apache-2.0, BSD variants, ISC, CC0-1.0, Unlicense) ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **📋 SBOM Quality Validation** - Automated SBOM quality scoring with minimum 7.0/10 threshold using SBOMQS ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **🔐 Runner Hardening** - All CI/CD runners are hardened with audit logging ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **📋 Security Policies** - GitHub security advisories and vulnerability reporting ([Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md))\n- **🏷️ Pinned Dependencies** - All GitHub Actions pinned to specific SHA hashes ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n\n### 🔏 Build Integrity \u0026 Attestations\n- **📄 SBOM Generation** - Software Bill of Materials for transparency ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **🔏 Build Attestations** - Cryptographic proof of build integrity ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **🛡️ Immutable Releases** - Artifacts cannot be tampered with ([Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md))\n- **🔐 Build Integrity** - Original builds remain unchanged\n- **📋 Audit Trail** - Complete release history\n- **🏆 Artifact Verification** - SLSA-compliant build provenance\n\n### 🧪 Security Testing\n- **🕷️ ZAP Security Scanning** - OWASP ZAP dynamic application security testing ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **⚡ Lighthouse Performance** - Automated performance and accessibility audits ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n\n### 📚 Security Documentation\nFor complete security policy mapping and detailed compliance information, see:\n- 📊 **[ISMS Policy Mapping](docs/ISMS_POLICY_MAPPING.md)** - Comprehensive feature-to-policy mapping\n- 🔒 **[SECURITY.md](SECURITY.md)** - Security policy and vulnerability reporting\n- 🔐 **[ISMS-PUBLIC Repository](https://github.com/Hack23/ISMS-PUBLIC)** - Complete ISMS documentation\n\n## Features\n\n- ⚡ **Vite** - Fast build tool and dev server\n- ⚛️ **React 19** - Modern React with hooks\n- 🔷 **TypeScript 6** - Strict typing with ES2025 target\n- 🧪 **Vitest** - Fast unit testing with coverage\n- 🌲 **Cypress** - Reliable E2E testing\n- 📦 **ESLint** - Code linting with TypeScript rules\n- 🔄 **GitHub Actions** - Automated testing and reporting\n- 🎮 **Three.js** - High-performance 3D WebGL renderer\n- 🎨 **@react-three/fiber** - React renderer for Three.js\n- 🛠️ **@react-three/drei** - Useful helpers for react-three-fiber\n- 🎵 **Howler.js** - Audio library for games\n- 📖 **TypeDoc** - API documentation generation with ISMS references\n\n## 🤖 GitHub Copilot Custom Agents \u0026 Skills\n\nThis repository leverages GitHub Copilot's latest features for AI-assisted development:\n\n### 🎯 Custom Agents\nSpecialized AI experts for different development tasks:\n\n- **🎯 [product-task-agent](.github/agents/product-task-agent.md)** - Product analysis, quality improvement, and GitHub issue creation\n- **🎮 [game-developer](.github/agents/game-developer.md)** - Three.js game development with @react-three/fiber and @react-three/drei\n- **🎨 [frontend-specialist](.github/agents/frontend-specialist.md)** - React 19 and TypeScript UI development\n- **🧪 [test-engineer](.github/agents/test-engineer.md)** - Comprehensive testing with Vitest and Cypress\n- **🔒 [security-specialist](.github/agents/security-specialist.md)** - Security, compliance, and supply chain protection\n- **📝 [documentation-writer](.github/agents/documentation-writer.md)** - Technical documentation and guides\n\n**Learn more:** [Custom Agents Documentation](.github/agents/README.md)\n\n---\n\n### 🎓 Agent Skills\nReusable patterns and best practices that agents automatically apply:\n\n- **🔒 [security-by-design](.github/skills/security-by-design/SKILL.md)** - High-level security principles and enforcement rules\n- **📋 [isms-compliance](.github/skills/isms-compliance/SKILL.md)** - ISMS policy alignment verification\n- **🎮 [react-threejs-game](.github/skills/react-threejs-game/SKILL.md)** - Three.js game development patterns\n- **🧪 [testing-strategy](.github/skills/testing-strategy/SKILL.md)** - Comprehensive testing patterns\n- **📝 [documentation-standards](.github/skills/documentation-standards/SKILL.md)** - Clear technical documentation\n- **⚡ [performance-optimization](.github/skills/performance-optimization/SKILL.md)** - React and Three.js optimization\n\n**Learn more:** [Agent Skills Guide](.github/skills/README.md) | [Comprehensive Copilot Guide](.github/COPILOT_GUIDE.md)\n\n## 🚀 Using This Template\n\nWhen you create a new repository from this template, follow these essential setup steps to get all security and automation features working properly:\n\n### 1. 📋 Setup Repository Labels\n\nLabels are essential for automated pull request categorization and release note generation.\n\n**Run the setup workflow:**\n\n1. Go to **Actions** → **Setup Repository Labels**\n2. Click **\"Run workflow\"**\n3. Choose whether to recreate all labels (optional)\n4. Wait for completion\n\nThis creates all necessary labels for:\n\n- 🚀 Features and enhancements\n- 🐛 Bug fixes\n- 🎮 Game development (graphics, audio, game logic)\n- 🔒 Security and compliance\n- 📦 Dependencies and infrastructure\n\n### 2. 🌐 Enable GitHub Pages Deployment\n\nEnable GitHub Pages to automatically deploy your game when creating releases.\n\n**Setup GitHub Pages:**\n\n1. Go to **Settings** → **Pages**\n2. Under **Source**, select **\"GitHub Actions\"**\n3. Save the configuration\n\nYour game will be automatically deployed to `https://your-username.github.io/your-repo-name/` when you run the release workflow.\n\n### 3. 🔒 Update Security Badge\n\nUpdate the OpenSSF Scorecard badge to point to your repository.\n\n**Edit the README:**\n\n```markdown\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/your-username/your-repo-name/badge)](https://scorecard.dev/viewer/?uri=github.com/your-username/your-repo-name)\n```\n\nReplace `your-username/your-repo-name` with your actual GitHub repository path.\n\n### 4. 🎮 Start Building Your Game\n\nWith the template configured, you can now:\n\n1. **Develop locally or in Codespaces**\n\n   ```bash\n   npm install\n   npm run dev\n   ```\n\n2. **Create pull requests** - Labels will be automatically applied\n3. **Run tests** - Automated testing on every push/PR\n4. **Create releases** - Use the release workflow for deployment\n5. **Monitor security** - Automated security scanning and scoring\n\n### 🔄 Available Workflows\n\nYour repository includes these automated workflows:\n\n| Workflow                         | Trigger          | Purpose                                                                                         |\n| -------------------------------- | ---------------- | ----------------------------------------------------------------------------------------------- |\n| **Setup Repository Labels**      | Manual           | Creates all required labels for PR categorization                                               |\n| **Setup Copilot Environment**    | Manual           | Validates and documents Copilot MCP server configuration                                        |\n| **Test and Report**              | Push/PR          | Runs unit tests, E2E tests, license compliance, SBOM quality validation, and generates coverage |\n| **Build, Attest and Release**    | Manual/Tag       | Creates secure releases with SBOM, license validation, and attestations                         |\n| **CodeQL Analysis**              | Push/PR/Schedule | Static code analysis for security vulnerabilities                                               |\n| **Dependency Review**            | PR               | Reviews dependencies for known vulnerabilities                                                  |\n| **Scorecard Analysis**           | Push/Schedule    | OSSF supply chain security assessment                                                           |\n| **ZAP Security Scan**            | Manual           | Dynamic security testing of deployed app                                                        |\n| **Lighthouse Performance**       | Manual           | Performance and accessibility audits                                                            |\n\n### 🛡️ Security Features Ready to Use\n\nOnce configured, your repository automatically provides comprehensive security aligned with **[Hack23 AB's ISMS](https://github.com/Hack23/ISMS-PUBLIC)**:\n\n- **🛡️ OSSF Scorecard** - Automated supply chain security assessment ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **🔍 Static Analysis** - CodeQL scanning for vulnerabilities ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **📦 Dependency Protection** - Automated dependency vulnerability checks ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **📜 License Compliance** - Automated checking of dependency licenses ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **📋 SBOM Quality Validation** - Automated SBOM quality scoring ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **🔐 Runner Hardening** - All CI/CD runners are hardened ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **📋 Security Policies** - GitHub security advisories and vulnerability reporting ([Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md))\n- **🏷️ Pinned Dependencies** - All GitHub Actions pinned to specific SHA hashes ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **📄 SBOM Generation** - Software Bill of Materials for transparency ([Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md))\n- **🔏 Build Attestations** - Cryptographic proof of build integrity ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **🛡️ Immutable Releases** - Artifacts cannot be tampered with ([Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md))\n- **🔐 Build Integrity** - Original builds remain unchanged\n- **📋 Audit Trail** - Complete release history\n- **🏆 Artifact Verification** - SLSA-compliant build provenance\n- **🕷️ ZAP Security Scanning** - OWASP ZAP dynamic application security testing ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n- **⚡ Lighthouse Performance** - Automated performance and accessibility audits ([Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md))\n\nSee **[ISMS Policy Mapping](docs/ISMS_POLICY_MAPPING.md)** for complete feature-to-policy mapping.\n\n### 🎯 Next Steps\n\n1. **Replace the example game** in `src/components/` with your game logic\n2. **Add game assets** to the `public/assets/` directory\n3. **Create your first PR** to see automated labeling in action\n4. **Run your first release** to deploy to GitHub Pages\n5. **Monitor security** through the automatically generated security reports\n\nAll security workflows will protect your game from vulnerabilities while providing complete transparency through attestations and SBOM generation.\n\n## Development Environment\n\nThis template includes a fully configured development environment:\n\n- **🚀 GitHub Codespaces** - Zero-configuration development environment\n- **🤖 GitHub Copilot** - AI-assisted development with code suggestions\n- **💬 Copilot Chat** - In-editor AI assistance for debugging and explanations\n- **🔧 VS Code Extensions** - Pre-configured extensions for game development\n- **🔒 Secure Container** - Hardened development container with security features\n- **🔌 MCP Servers** - Model Context Protocol servers for enhanced Copilot capabilities\n\n### 🚀 Codespaces Setup\n\nThis repository is fully configured for GitHub Codespaces, providing:\n\n- **One-click setup** - Start coding immediately with zero configuration\n- **Pre-installed dependencies** - All tools and libraries ready to use\n- **Configured test environment** - Cypress and Vitest ready to run\n- **GitHub Copilot integration** - AI-powered code assistance with MCP servers\n- **Optimized performance** - Container configured for game development\n\n### 🔌 MCP Servers for Enhanced Copilot\n\nThis repository is configured with Model Context Protocol (MCP) servers that enhance GitHub Copilot's capabilities:\n\n- **🗂️ Filesystem Server** - Secure file access for code navigation and editing\n- **🐙 GitHub Server** - Repository context, issues, and PR integration\n- **📚 Git Server** - Version control history and code evolution understanding\n- **🧠 Memory Server** - Maintains context across Copilot conversations\n- **🔍 Brave Search Server** - Documentation search (optional, requires API key)\n- **🎭 Playwright Server** - Browser automation for testing and debugging\n\n**Configuration Files:**\n- `.github/copilot-instructions.md` - Coding guidelines for Copilot\n- `docs/MCP_CONFIGURATION.md` - Detailed MCP setup documentation\n\n**Note:** MCP servers are automatically configured in the GitHub Codespaces environment and don't require separate configuration files.\n\n**Learn More:** See [MCP Configuration Guide](docs/MCP_CONFIGURATION.md) for detailed setup and usage instructions.\n\n### 🔑 Configuring GitHub Personal Access Token\n\nThe **product-task-agent** and **GitHub MCP server** require a Personal Access Token (PAT) to create and manage issues, access repository data, and perform other GitHub operations.\n\n#### Creating a Personal Access Token\n\n1. **Generate a Fine-Grained Token** (Recommended)\n   - Go to **GitHub Settings** → **Developer settings** → **Personal access tokens** → **Fine-grained tokens**\n   - Click **\"Generate new token\"**\n   - Fill in the details:\n     - **Token name**: `copilot-mcp-game` (or your preferred name)\n     - **Expiration**: Choose an appropriate duration (e.g., 90 days)\n     - **Repository access**: Select **\"Only select repositories\"** → Choose your game repository\n   \n   - **Repository permissions** (required):\n     - **Issues**: Read and write (for creating and managing issues)\n     - **Contents**: Read-only (for code analysis)\n     - **Metadata**: Read-only (automatically included)\n     - **Pull requests**: Read and write (optional, for PR management)\n     - **Workflows**: Read-only (optional, for workflow status)\n   \n   - Click **\"Generate token\"** and **copy the token immediately** (you won't see it again)\n\n2. **Alternative: Classic Token**\n   - Go to **GitHub Settings** → **Developer settings** → **Personal access tokens** → **Tokens (classic)**\n   - Click **\"Generate new token\"** → **\"Generate new token (classic)\"**\n   - Select scopes:\n     - ✅ `repo` (Full control of private repositories) - **Required**\n     - ✅ `read:org` (Read org membership) - Optional\n     - ✅ `workflow` (Update GitHub Actions workflows) - Optional\n   - Click **\"Generate token\"** and **copy the token**\n\n#### Setting the Token in Your Environment\n\n**For GitHub Codespaces:**\n\n1. Go to your repository on GitHub\n2. Click **Settings** → **Secrets and variables** → **Codespaces**\n3. Click **\"New repository secret\"**\n4. Name: `GITHUB_TOKEN`\n5. Value: Paste your Personal Access Token\n6. Click **\"Add secret\"**\n\nThe token will be automatically available in your Codespace environment.\n\n**For Local Development:**\n\n```bash\n# Linux/macOS - Add to ~/.bashrc or ~/.zshrc\nexport GITHUB_TOKEN=\"your_token_here\"\n\n# Windows PowerShell - Add to your PowerShell profile\n$env:GITHUB_TOKEN=\"your_token_here\"\n\n# Windows Command Prompt\nset GITHUB_TOKEN=your_token_here\n```\n\n**Verify the token is set:**\n```bash\n# In your terminal\necho $GITHUB_TOKEN  # Linux/macOS\necho %GITHUB_TOKEN% # Windows CMD\necho $env:GITHUB_TOKEN # Windows PowerShell\n```\n\n#### Required Permissions Summary\n\n| Permission | Access Level | Purpose |\n|------------|--------------|---------|\n| **Issues** | Read and write | Create and manage GitHub issues via product-task-agent |\n| **Contents** | Read-only | Analyze code and repository structure |\n| **Metadata** | Read-only | Access repository metadata (automatic) |\n| **Pull requests** | Read and write | Manage PRs (optional) |\n| **Workflows** | Read-only | Check workflow status (optional) |\n\n#### Security Best Practices\n\n- ✅ **Use fine-grained tokens** with minimal required permissions\n- ✅ **Set appropriate expiration** (90 days recommended)\n- ✅ **Limit to specific repositories** rather than all repositories\n- ✅ **Never commit tokens** to source code\n- ✅ **Use repository secrets** for Codespaces\n- ✅ **Rotate tokens regularly** before expiration\n- ✅ **Revoke unused tokens** in GitHub settings\n\n#### Troubleshooting\n\n**Token not working:**\n- Verify the token has the required permissions\n- Check if the token has expired\n- Ensure `GITHUB_TOKEN` environment variable is set correctly\n- Restart your Codespace or terminal after setting the token\n\n**Permission errors when creating issues:**\n- Ensure token has **Issues: Read and write** permission\n- Verify repository access includes your target repository\n- Check token hasn't been revoked\n\n```mermaid\ngraph LR\n    A[Developer] --\u003e|Opens in Codespace| B[Container Setup]\n    B --\u003e|Auto-configures| C[Development Environment]\n    C --\u003e|Provides| D[VS Code + Extensions]\n    C --\u003e|Initializes| E[Node.js Environment]\n    C --\u003e|Configures| F[Testing Tools]\n\n    D --\u003e|Includes| G[GitHub Copilot]\n    D --\u003e|Includes| H[ESLint Integration]\n    D --\u003e|Includes| I[Debug Tools]\n\n    E --\u003e|Installs| J[Three.js]\n    E --\u003e|Installs| K[React 19]\n    E --\u003e|Installs| L[TypeScript]\n\n    F --\u003e|Prepares| M[Cypress E2E]\n    F --\u003e|Prepares| N[Vitest Unit Tests]\n\n    G --\u003e|Assists with| O[Game Logic]\n    G --\u003e|Suggests| P[Game Components]\n\n    classDef primary fill:#e3f2fd,stroke:#1565c0,stroke-width:2px,color:#000\n    classDef tools fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px,color:#000\n    classDef ai fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000\n    classDef testing fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000\n\n    class A,B,C primary\n    class D,E,F tools\n    class G,O,P ai\n    class M,N testing\n    class J,K,L tools\n    class H,I tools\n```\n\n## Security Workflows\n\n```mermaid\ngraph TD\n    A[🔒 Code Push/PR] --\u003e B{🛡️ Security Gates}\n\n    B --\u003e |🔍 Code Analysis| C[CodeQL Scanning]\n    B --\u003e |📦 Dependencies| D[Dependency Review]\n    B --\u003e |📜 License Check| E[License Compliance]\n    B --\u003e |🏗️ Supply Chain| F[OSSF Scorecard]\n\n    C --\u003e |🚨 Vulnerabilities| G[Security Alerts]\n    D --\u003e |⚠️ Known CVEs| G\n    E --\u003e |� Invalid Licenses| G\n    F --\u003e |�📊 Security Score| H[Security Dashboard]\n\n    G --\u003e I[🚫 Block Merge]\n    H --\u003e J[✅ Security Badge]\n\n    subgraph \"🔐 Protection Layers\"\n        K[Runner Hardening]\n        L[Pinned Actions]\n        M[Audit Logging]\n    end\n\n    subgraph \"🧪 Runtime Security Testing\"\n        N[🕷️ ZAP DAST Scan]\n        O[⚡ Lighthouse Audit]\n        P[🌐 Live Site Testing]\n    end\n\n    J --\u003e N\n    N --\u003e |🔍 Dynamic Scan| O\n    O --\u003e |📊 Performance Report| P\n\n    %% Styling\n    classDef security fill:#ffebee,stroke:#c62828,stroke-width:2px,color:#000\n    classDef analysis fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px,color:#000\n    classDef protection fill:#e3f2fd,stroke:#1565c0,stroke-width:2px,color:#000\n    classDef alert fill:#fff3e0,stroke:#ef6c00,stroke-width:2px,color:#000\n    classDef runtime fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px,color:#000\n\n    class A,B,I security\n    class C,D,E,F analysis\n    class K,L,M protection\n    class G,H,J alert\n    class N,O,P runtime\n```\n\n## Test \u0026 Report Workflow\n\n```mermaid\ngraph TD\n    A[🚀 Code Push/PR] --\u003e B{🔍 Prepare Environment}\n\n    B --\u003e |✅ Dependencies| C[🏗️ Build Validation]\n    B --\u003e |✅ Cypress Cache| D[🧪 Unit Tests]\n    B --\u003e |✅ Display Setup| E[🌐 E2E Tests]\n\n    C --\u003e |✅ Build Success| F{📊 Parallel Testing}\n\n    F --\u003e D\n    F --\u003e E\n\n    D --\u003e |📈 Coverage Report| G[📋 Test Reports]\n    E --\u003e |🎬 Videos \u0026 Screenshots| G\n\n    G --\u003e H[📤 Artifact Upload]\n    H --\u003e I[✨ Combined Reports]\n\n    %% Styling\n    classDef startEnd fill:#e1f5fe,stroke:#01579b,stroke-width:2px,color:#000\n    classDef process fill:#f3e5f5,stroke:#4a148c,stroke-width:2px,color:#000\n    classDef test fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px,color:#000\n    classDef report fill:#fff3e0,stroke:#e65100,stroke-width:2px,color:#000\n    classDef artifact fill:#fce4ec,stroke:#880e4f,stroke-width:2px,color:#000\n\n    class A,I startEnd\n    class B,C,F process\n    class D,E test\n    class G,H report\n    class H artifact\n```\n\n## Quick Start\n\n```bash\n# Using GitHub Codespaces\n# Click \"Code\" button on repository and select \"Open with Codespaces\"\n\n# Or local development:\n# Install dependencies\nnpm install\n\n# Start development server\nnpm run dev\n\n# Build for production\nnpm run build\n\n# Run unit tests\nnpm run test\n\n# Run E2E tests\nnpm run test:e2e\n\n# Check license compliance\nnpm run test:licenses\n\n# Generate API documentation\nnpm run docs:api\n```\n\n## Three.js Integration\n\nThis template uses Three.js for high-performance 3D game rendering:\n\n- Modern WebGL-based 3D rendering\n- Optimized performance with @react-three/fiber\n- React integration via @react-three/fiber\n- Useful helpers via @react-three/drei\n- Sound support via Howler.js\n- Responsive 3D canvas\n- Touch and mouse input handling\n- Camera controls with OrbitControls\n\nExample game component:\n\n```tsx\nimport { Canvas } from \"@react-three/fiber\";\nimport { OrbitControls } from \"@react-three/drei\";\n\nexport function Game() {\n  return (\n    \u003cCanvas camera={{ position: [0, 2, 8], fov: 50 }}\u003e\n      {/* Lighting */}\n      \u003cambientLight intensity={0.5} /\u003e\n      \u003cpointLight position={[10, 10, 10]} intensity={1} /\u003e\n\n      {/* 3D Objects */}\n      \u003cmesh\u003e\n        \u003csphereGeometry args={[0.5, 32, 32]} /\u003e\n        \u003cmeshStandardMaterial color=\"#00ff88\" /\u003e\n      \u003c/mesh\u003e\n\n      {/* Camera Controls */}\n      \u003cOrbitControls /\u003e\n    \u003c/Canvas\u003e\n  );\n}\n```\n\n## Testing\n\n### Unit Tests\n\n- Uses Vitest with jsdom environment\n- Configured for React Testing Library\n- Coverage reports generated automatically\n- Run with: `npm run test`\n\n### E2E Tests\n\n- Uses Cypress for end-to-end testing\n- Starts dev server automatically\n- Screenshots and videos on failure\n- Run with: `npm run test:e2e`\n\n### License Compliance\n\n- Automated checking of dependency licenses using `license-compliance`\n- Only allows approved open-source licenses (MIT, Apache-2.0, BSD variants, ISC, CC0-1.0, Unlicense)\n- Prevents dependencies with restrictive or unknown licenses\n- Run with: `npm run test:licenses`\n\n### SBOM Quality Validation\n\n- Automated SBOM quality assessment using [SBOMQS](https://github.com/interlynk-io/sbomqs) during CI/CD builds\n- Validates SBOM completeness across multiple standards (NTIA-minimum-elements, BSI v1.1/v2.0, Semantic, Quality, Sharing, Structural)\n- Enforces minimum quality score of **7.0/10** to ensure high-quality Software Bill of Materials\n- Checks for essential components: names, versions, unique IDs, suppliers, licenses, checksums, and dependency relationships\n- Blocks builds with insufficient SBOM quality to maintain supply chain transparency\n- Provides detailed quality reports with actionable feedback for improvement\n\n### CI/CD Pipeline\n\n```mermaid\nflowchart LR\n    subgraph \"🔧 CI Pipeline\"\n        A1[📝 Code Changes] --\u003e A2[🔍 Lint \u0026 Type Check]\n        A2 --\u003e A3[🏗️ Build]\n        A3 --\u003e A4[🧪 Test]\n        A4 --\u003e A5[📊 Report]\n    end\n\n    subgraph \"🔒 Security Pipeline\"\n        S1[🛡️ CodeQL Analysis]\n        S2[📦 Dependency Review]\n        S3[🏆 OSSF Scorecard]\n        S4[� SBOM Quality Check]\n        S5[�🔐 Runner Hardening]\n    end\n\n    subgraph \"📈 Test Coverage\"\n        B1[Unit Tests\u003cbr/\u003e80%+ Coverage]\n        B2[E2E Tests\u003cbr/\u003eCritical Flows]\n        B3[Type Safety\u003cbr/\u003eStrict Mode]\n    end\n\n    subgraph \"🎯 Outputs\"\n        C1[📄 Coverage Reports]\n        C2[🎬 Test Videos]\n        C3[📸 Screenshots]\n        C4[📋 JUnit XML]\n        C5[🛡️ Security Reports]\n    end\n\n    A4 --\u003e B1\n    A4 --\u003e B2\n    A4 --\u003e B3\n\n    A1 --\u003e S1\n    A1 --\u003e S2\n    A1 --\u003e S3\n    A1 --\u003e S4\n    A1 --\u003e S5\n\n    A5 --\u003e C1\n    A5 --\u003e C2\n    A5 --\u003e C3\n    A5 --\u003e C4\n    S1 --\u003e C5\n    S2 --\u003e C5\n    S3 --\u003e C5\n    S4 --\u003e C5\n\n    %% Styling\n    classDef pipeline fill:#e3f2fd,stroke:#1565c0,stroke-width:2px\n    classDef security fill:#ffebee,stroke:#c62828,stroke-width:2px\n    classDef testing fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px\n    classDef output fill:#fff8e1,stroke:#f57c00,stroke-width:2px\n\n    class A1,A2,A3,A4,A5 pipeline\n    class S1,S2,S3,S4 security\n    class B1,B2,B3 testing\n    class C1,C2,C3,C4,C5 output\n```\n\n### Security Workflows\n\n- **CodeQL Analysis**: Automated vulnerability scanning on push/PR\n- **Dependency Review**: Checks for known vulnerabilities in dependencies\n- **License Compliance**: Validates all dependencies use approved open-source licenses\n- **SBOM Quality Validation**: Automated SBOM quality assessment using SBOMQS with minimum 7.0/10 score requirement\n- **OSSF Scorecard**: Supply chain security assessment with public scoring\n- **Runner Hardening**: All CI/CD runners use hardened security policies\n\n## 🚀 Release Management\n\nThis template includes a comprehensive, security-first release workflow with automated versioning, security attestations, and deployment.\n\n### Release Flow\n\n```mermaid\nflowchart TD\n    A[🚀 Release Trigger] --\u003e B{📋 Release Type}\n\n    B --\u003e|🏷️ Tag Push| C[🔄 Automatic Release]\n    B --\u003e|⚡ Manual Dispatch| D[📝 Manual Release]\n\n    C --\u003e E[📦 Prepare Phase]\n    D --\u003e E\n\n    E --\u003e F[🏗️ Build \u0026 Test]\n    F --\u003e G[🔒 Security Validation]\n\n    G --\u003e H[📄 Generate SBOM]\n    H --\u003e I[🔏 Create Attestations]\n    I --\u003e J[📋 Draft Release Notes]\n\n    J --\u003e K[🌐 Deploy to Pages]\n    K --\u003e L[📢 Publish Release]\n\n    subgraph \"🔒 Security Layers\"\n        M[SLSA Build Provenance]\n        N[SBOM Attestation]\n        O[Artifact Signing]\n        P[Supply Chain Verification]\n    end\n\n    I --\u003e M\n    I --\u003e N\n    I --\u003e O\n    G --\u003e P\n\n    %% Styling\n    classDef trigger fill:#e1f5fe,stroke:#01579b,stroke-width:2px\n    classDef process fill:#f3e5f5,stroke:#4a148c,stroke-width:2px\n    classDef security fill:#ffebee,stroke:#c62828,stroke-width:2px\n    classDef deploy fill:#e8f5e8,stroke:#1b5e20,stroke-width:2px\n\n    class A,B,C,D trigger\n    class E,F,J,K,L process\n    class G,H,I,M,N,O,P security\n```\n\n### 🏷️ Release Types\n\n#### Automatic Releases (Tag-based)\n\n```bash\n# Create and push a tag to trigger automatic release\ngit tag v1.0.0\ngit push origin v1.0.0\n```\n\n#### Manual Releases (Workflow Dispatch)\n\n- Navigate to **Actions** → **Build, Attest and Release**\n- Click **Run workflow**\n- Specify version (e.g., `v1.0.1`) and pre-release status\n- The workflow handles version bumping and tagging automatically\n\n### 📋 Automated Release Notes\n\nRelease notes are automatically generated using semantic labeling:\n\n```mermaid\ngraph LR\n    A[🔄 PR Labels] --\u003e B[📝 Release Drafter]\n    B --\u003e C[📊 Categorized Notes]\n\n    subgraph \"🏷️ Label Categories\"\n        D[🚀 New Features]\n        E[🎮 Game Development]\n        F[🔒 Security \u0026 Compliance]\n        G[🐛 Bug Fixes]\n        H[📦 Dependencies]\n        I[🧪 Test Coverage]\n    end\n\n    A --\u003e D\n    A --\u003e E\n    A --\u003e F\n    A --\u003e G\n    A --\u003e H\n    A --\u003e I\n\n    C --\u003e J[📢 GitHub Release]\n\n    classDef labels fill:#fff3e0,stroke:#e65100,stroke-width:2px\n    classDef process fill:#e3f2fd,stroke:#1565c0,stroke-width:2px\n    classDef output fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px\n\n    class D,E,F,G,H,I labels\n    class A,B,C process\n    class J output\n```\n\n#### Release Note Categories\n\n- **🚀 New Features** - Major feature additions\n- **🎮 Game Development** - Game logic, graphics, audio improvements\n- **🎨 UI/UX Improvements** - Interface and design updates\n- **🏗️ Infrastructure \u0026 Performance** - Build and performance optimizations\n- **🔄 Code Quality \u0026 Refactoring** - Code improvements and testing\n- **🔒 Security \u0026 Compliance** - Security updates and fixes\n- **📝 Documentation** - Documentation improvements\n- **📦 Dependencies** - Dependency updates\n- **🐛 Bug Fixes** - Bug fixes and patches\n\n### 🔒 Security Attestations \u0026 SBOM\n\n#### Software Bill of Materials (SBOM)\n\nEvery release includes a comprehensive SBOM in SPDX format:\n\n```json\n{\n  \"SPDXID\": \"SPDXRef-DOCUMENT\",\n  \"name\": \"game-v1.0.0\",\n  \"packages\": [\n    {\n      \"SPDXID\": \"SPDXRef-Package-react\",\n      \"name\": \"react\",\n      \"versionInfo\": \"19.1.0\",\n      \"licenseConcluded\": \"MIT\"\n    }\n  ]\n}\n```\n\n#### Build Provenance Attestations\n\nSLSA-compliant build attestations provide cryptographic proof:\n\n```json\n{\n  \"_type\": \"https://in-toto.io/Statement/v0.1\",\n  \"predicateType\": \"https://slsa.dev/provenance/v0.2\",\n  \"subject\": [\n    {\n      \"name\": \"game-v1.0.0.zip\",\n      \"digest\": {\n        \"sha256\": \"abc123...\"\n      }\n    }\n  ],\n  \"predicate\": {\n    \"builder\": {\n      \"id\": \"https://github.com/actions/runner\"\n    },\n    \"buildType\": \"https://github.com/actions/workflow@v1\"\n  }\n}\n```\n\n#### Verification Commands\n\n```bash\n# Verify build provenance\ngh attestation verify game-v1.0.0.zip \\\n  --owner Hack23 --repo game\n\n# Verify SBOM attestation\ngh attestation verify game-v1.0.0.zip \\\n  --owner Hack23 --repo game \\\n  --predicate-type https://spdx.dev/Document\n```\n\n# 🔒 Immutable Releases\n\nThis repository uses **GitHub's immutable releases** to prevent unauthorized modifications to published releases.\n\n## What are Immutable Releases?\n\nImmutable releases lock release artifacts after publication, ensuring:\n\n- **🛡️ Supply Chain Security** - Artifacts cannot be tampered with\n- **🔐 Build Integrity** - Original builds remain unchanged\n- **📋 Audit Trail** - Complete release history\n\n\u003e Only release title and notes can be modified after publication.\n\n## How to Enable\n\n### For Your Repository:\n\n1. Go to **Settings** → **General**\n2. Scroll to the **\"Releases\"** section\n3. Check **\"Enable release immutability\"**\n4. ⚠️ Only applies to **future releases**\n\n### For Your Organization:\n\n1. Go to **Organization Settings** → **Repository** → **General**\n2. In **\"Releases\"** section, select policy:\n   - **All repositories** - Apply to all org repos\n   - **Selected repositories** - Choose specific repos\n3. ⚠️ Only applies to **future releases**\n\n## Verification\n\n```bash\n# Verify release artifacts haven't been tampered with\ngh attestation verify game-v1.1.4.zip --owner Hack23 --repo game\n```\n\n---\n\n_Part of our security-first approach alongside OSSF Scorecard, SLSA attestations, and automated scanning._\n\n### 📦 Release Artifacts\n\nEach release includes multiple artifacts with full traceability:\n\n```\n📦 Release v1.0.0\n├── 🎮 game-v1.0.0.zip                    # Built application\n├── 📄 game-v1.0.0.spdx.json             # Software Bill of Materials\n├── 🔏 game-v1.0.0.zip.intoto.jsonl      # Build provenance attestation\n└── 📋 game-v1.0.0.spdx.json.intoto.jsonl # SBOM attestation\n```\n\n### 🌐 Deployment Pipeline\n\n```mermaid\nsequenceDiagram\n    participant Dev as 👨‍💻 Developer\n    participant GH as 🐙 GitHub\n    participant CI as 🔄 CI/CD\n    participant Sec as 🔒 Security\n    participant Pages as 🌐 GitHub Pages\n\n    Dev-\u003e\u003eGH: 🏷️ Push Tag/Manual Trigger\n    GH-\u003e\u003eCI: 🚀 Start Release Workflow\n\n    CI-\u003e\u003eCI: 🧪 Run Tests \u0026 Build\n    CI-\u003e\u003eSec: 🔍 Security Scans\n    Sec--\u003e\u003eCI: ✅ Security Validated\n\n    CI-\u003e\u003eSec: 📄 Generate SBOM\n    CI-\u003e\u003eSec: 🔏 Create Attestations\n    Sec--\u003e\u003eCI: 📋 Security Artifacts Ready\n\n    CI-\u003e\u003eGH: 📝 Draft Release Notes\n    CI-\u003e\u003eGH: 📦 Upload Artifacts\n\n    CI-\u003e\u003ePages: 🌐 Deploy Application\n    Pages--\u003e\u003eCI: ✅ Deployment Success\n\n    CI-\u003e\u003eGH: 📢 Publish Release\n    GH--\u003e\u003eDev: 🎉 Release Complete\n```\n\n### 🔐 Security Compliance\n\n#### OSSF Scorecard Integration\n\n- **Automated scoring** of supply chain security practices\n- **Public transparency** with security badge\n- **Continuous monitoring** of security posture\n\n#### Supply Chain Protection\n\n- **Pinned dependencies** - All GitHub Actions pinned to SHA hashes\n- **Dependency scanning** - Automated vulnerability detection\n- **SLSA compliance** - Build integrity and provenance\n- **Signed artifacts** - Cryptographic verification of releases\n\n### 📊 Release Metrics\n\nTrack release quality and security with built-in metrics:\n\n- **🔒 Security Score** - OSSF Scorecard rating\n- **📈 Test Coverage** - Unit and E2E test coverage\n- **🏷️ Vulnerability Count** - Known security issues\n- **📦 Dependency Health** - Outdated/vulnerable dependencies\n- **🚀 Build Success Rate** - CI/CD pipeline reliability\n\n## Building Your Game\n\nThis template provides a **secure foundation** for game development:\n\n1. Replace the counter example with your game logic\n2. Add game-specific components in `src/components/`\n3. Create game state management (Context API, Zustand, etc.)\n4. Add unit tests for game logic\n5. Create E2E tests for game flows\n6. **Create releases** using the automated workflow\n7. **Monitor security** through OSSF Scorecard and attestations\n8. Deploy using the included **security-hardened** GitHub Actions\n\nAll security workflows will automatically protect your game from common vulnerabilities and supply chain attacks, while providing full transparency through SBOM and attestations.\n\n## 📚 Documentation\n\n### Development Guides\n- **[Copilot Quick Start Guide](docs/COPILOT_QUICK_START.md)** - Get started with GitHub Copilot in this repository\n- **[MCP Configuration Guide](docs/MCP_CONFIGURATION.md)** - Model Context Protocol setup and usage\n- **[MCP Architecture](docs/MCP_ARCHITECTURE.md)** - Visual guide to MCP integration\n- **[Copilot Instructions](.github/copilot-instructions.md)** - Coding guidelines for AI assistance\n\n### Security \u0026 Compliance\n- 🔒 **[SECURITY.md](SECURITY.md)** - Security policy and vulnerability reporting\n- 🛡️ **[SECURITY_HEADERS.md](SECURITY_HEADERS.md)** - Security headers implementation\n- 📊 **[ISMS Policy Mapping](docs/ISMS_POLICY_MAPPING.md)** - Complete feature-to-policy mapping\n- 🔐 **[ISMS-PUBLIC Repository](https://github.com/Hack23/ISMS-PUBLIC)** - Hack23 AB's complete ISMS\n\n### ISMS Core Policies\n- 🔐 **[Information Security Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Information_Security_Policy.md)** - Overall security governance\n- 🛠️ **[Secure Development Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Secure_Development_Policy.md)** - SDLC and CI/CD requirements\n- 📦 **[Open Source Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Open_Source_Policy.md)** - Supply chain security\n- 🏷️ **[Data Classification Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Data_Classification_Policy.md)** - Data handling requirements\n- 🔒 **[Privacy Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Privacy_Policy.md)** - Privacy and GDPR compliance\n- 🔑 **[Access Control Policy](https://github.com/Hack23/ISMS-PUBLIC/blob/main/Access_Control_Policy.md)** - Authentication and authorization\n\nHappy gaming! 🎮🔒\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhack23%2Fgame","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhack23%2Fgame","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhack23%2Fgame/lists"}