Chore: Implement issue-first contribution workflow with PR gatekeeper

[mohdsayed]

Description

Introduces an automated contribution workflow that enforces SOC 2-aligned quality gates while keeping the experience welcoming for external contributors.

Relevant Technical Choices

• PR Gatekeeper (.github/workflows/gatekeeper.yml): A new workflow that validates two requirements on every PR — a linked issue and GPG/SSH-verified commits. It uses author_association to exempt internal contributors (OWNER, MEMBER, COLLABORATOR) from the linked-issue check. On failure it auto-creates needs-discussion / unverified-identity labels, leaves a single supportive comment with actionable instructions, and fails the status check to block merging. Labels are cleaned up automatically on a passing re-run.
• Welcome Automation (.github/workflows/welcome.yml): Fires once on PR open for NONE / FIRST_TIME_CONTRIBUTOR authors who have no linked issue. Posts a warm onboarding comment pointing them to the Issues creation page and Discussions tab before the gatekeeper comment runs.
• PR Template (.github/PULL_REQUEST_TEMPLATE.md): Added a friendly intro banner, a signed-commits hint with a link to the GitHub guide, and two new checklist items for the issue-first and signing requirements.
• CONTRIBUTING.md: Added an Our commitment to a secure and reliable ecosystem section framing SOC 2 requirements as contributor protections. Renamed Sending a pull request → How to get your PR merged successfully and added The Issue-First rule subsection that explains the why behind the rule and explicitly scopes it to external contributors.

Testing Instructions

Additional Information:

Screenshot/Screencast

---

Checklist

• I have thoroughly tested this code to the best of my abilities.
• I have reviewed the code myself before requesting a review.
• This code is covered by unit tests to verify that it works as intended.
• The QA of this PR is done by a member of the QA team (to be checked by QA).

Fixes #