notify contributors that signed commits are mandatory

[jgadsden]

Summary:

This documents that signed commits are mandatory and notifies contributors

Description for the changelog:

document mandatory signed commits

Declaration:

Thanks for submitting a pull request, please make sure:

• content meets the license for this project
• N/A appropriate unit tests have been created and/or modified
• N/A you have considered any changes required for the functional tests
• you have read the contribution guide and agree to the Code of Conduct
• either no AI-generated content has been used in this pull request
• or any use of AI in this pull request has been disclosed below:
  • AI Tools: [e.g. GitHub CoPilot, ChatGPT, JetBrains Junie, etc]
  • LLMs and versions: [e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro, etc]
  • Prompts: [Summarize the key prompts or instructions given to the AI tools]

Other info:

Closes #1525

[jgadsden]

The Trivy scan is picking up some very recent CVEs, subject of pull request #1524

[lreading]

How does this work with a pull request that has unsigned commits? Are those able to be merged, or will the branch protection rule block the merge? (genuine question!)

[jgadsden]

I am fairy sure that the pull request will be blocked from merge - I hope so otherwise the singed-commits are of no use :)
I can relax the settings for a while until @InfosecOTB merges pull request #1527 , but I agree we are entering a brave new world

[jgadsden]

the signed commits have proved to be successful, and if necessary can be bypassed by repository admins
going ahead with the merge so that the contributors can be made aware