Improve PR landing flow for signed linear history

[choufraise]

Problem

NAuth requires:

• verified signed commits
• Signed-off-by trailers
• linear history
• no squash merges
• no merge commits
• no GitHub-created landing commits that rewrite/sign commits behind the scenes

The current setup makes external PRs painful. A contributor can rebase onto origin/main, but if main moves before we merge, the PR fails again and the contributor has to repeat the process. For external contributors this creates unnecessary back-and-forth.

Example: #322 failed Verify Rebase on Main because the PR branch was not based on the latest origin/main.

Current State

Repository settings/rules observed:

• merge commits disabled
• squash merges disabled
• rebase merge enabled
• web commit signoff required
• main ruleset requires:
  • no deletion
  • no non-fast-forward updates
  • linear history
  • pull request review
  • last-push approval
  • conversation resolution
  • required status check: Validate Signed-off Commits
  • required signed commits
  • CodeQL/code quality gates
• custom Rebase Check workflow requires PR head to contain latest origin/main

Desired Direction

Use PRs for review, but land changes through a trusted signed integration flow.

The final landed commits should be:

• linear
• verified signed
• DCO-compliant
• based on current main
• pushed by a trusted landing actor after verification

Proposed Changes

1. Split the main ruleset into separate concerns:

   • hard invariants: signed commits, linear history, no force-push, no deletion
   • PR policy: approval, conversation resolution, last-push approval, required checks

2. Add a trusted landing actor:

   • GitHub App, bot account, or maintainer team
   • must sign commits with a verified signing key
   • allowed to bypass only the PR-policy rule, not signed commits or linear history

3. Restrict direct updates to main:

   • only the landing actor can push
   • humans should not land PRs through the GitHub UI

4. Remove the custom Rebase Check workflow:

   • rebasing should happen at landing time, not be pushed back to contributors repeatedly

5. Disable strict “branch must be up to date” behavior for required status checks:

   • the landing actor should rebase onto latest main, run/verify checks, then fast-forward push

6. Add an always-running aggregate PR Gate check:

   • keep existing path-filtered workflows
   • make one stable gate required instead of requiring skipped path-filtered jobs directly

7. Tighten Actions permissions:

   • set default workflow token permissions to read
   • grant write permissions only per workflow where needed
   • consider restricting third-party Actions or requiring SHA pinning

Acceptance Criteria

• External contributors are not required to repeatedly rebase when main moves.
• Maintainers cannot accidentally land through GitHub UI in a way that rewrites signatures.
• Final commits on main are verified signed.
• Final commits on main keep Signed-off-by trailers.
• main remains linear.
• CI/DCO/review requirements are still enforced before landing.
• A maintainer runbook or script exists for the landing process.

[choufraise]

Work around for merging external PRs until this issue has been fixed:

gf && gcm && gl && git fetch origin pull/322/head:pr-322 && gmff pr-322 && gp