[universal]: Add non verified commit warning github action (CloudPirates-io#335)

* Add non verified commit warning github action

* Recognize ssh signing

* Fix unset git option

* Test change to verify without signature message

* Test change to verify without signature message

* Test change to verify without signature message

Author: zOnlyKroks

.github/workflows/check-signed-commits.yaml

@@ -0,0 +1,139 @@
+name: "Check Signed Commits"
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+    branches:
+      - main
+
+jobs:
+  check-signed-commits:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5.0.0
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Configure Git for SSH signature verification
+        run: |
+          # Create a temporary allowed signers file (not used for actual verification)
+          # This allows git to recognize SSH signatures exist without requiring key validation
+          touch /tmp/allowed_signers
+          git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers
+          # Configure git to recognize SSH signing format
+          git config --global gpg.format ssh
+
+      - name: Check for verified commits
+        id: check-commits
+        run: |
+          # Get all commits in the PR
+          git fetch origin ${{ github.event.pull_request.base.ref }}
+          COMMITS=$(git rev-list origin/${{ github.event.pull_request.base.ref }}..${{ github.event.pull_request.head.sha }})
+
+          UNSIGNED_COMMITS=""
+          UNSIGNED_COUNT=0
+          TOTAL_COUNT=0
+
+          for commit in $COMMITS; do
+            TOTAL_COUNT=$((TOTAL_COUNT + 1))
+            # Check if commit is signed (GPG or SSH signature)
+            # %G? returns signature status
+            # %GF returns the signing key fingerprint (empty if not signed)
+            SIGNATURE=$(git log -1 --format='%G?' $commit)
+            FINGERPRINT=$(git log -1 --format='%GF' $commit)
+
+            # %G? returns:
+            # G = good GPG signature
+            # U = unverified signature (has signature but can't verify - common for SSH)
+            # B = bad signature
+            # N = no signature
+            # E = signature expired
+            # Y = good signature (expired key)
+
+            # A commit is considered SIGNED if it has any signature present
+            # We check for a fingerprint to confirm a signature exists
+            # For SSH signatures, %G? will be "U" but %GF will have the fingerprint
+
+            if [[ -z "$FINGERPRINT" ]]; then
+              # No fingerprint means no signature at all
+              UNSIGNED_COMMITS="${UNSIGNED_COMMITS}${commit}\n"
+              UNSIGNED_COUNT=$((UNSIGNED_COUNT + 1))
+            fi
+          done
+
+          echo "total_commits=${TOTAL_COUNT}" >> $GITHUB_OUTPUT
+          echo "unsigned_commits=${UNSIGNED_COUNT}" >> $GITHUB_OUTPUT
+
+          if [ $UNSIGNED_COUNT -gt 0 ]; then
+            echo "has_unsigned=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_unsigned=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check if comment already exists
+        if: steps.check-commits.outputs.has_unsigned == 'true'
+        id: check-comment
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          # Check if our bot has already commented on this PR
+          COMMENT_EXISTS=$(gh api \
+            -H "Accept: application/vnd.github+json" \
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            "/repos/${{ github.repository }}/issues/${{ github.event.pull_request.number }}/comments" \
+            | jq -r '.[] | select(.user.login == "github-actions[bot]" and (.body | contains("⚠️ Unsigned Commits Detected"))) | .id' | head -1)
+
+          if [ -n "$COMMENT_EXISTS" ]; then
+            echo "comment_exists=true" >> $GITHUB_OUTPUT
+            echo "comment_id=${COMMENT_EXISTS}" >> $GITHUB_OUTPUT
+          else
+            echo "comment_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Post warning comment
+        if: steps.check-commits.outputs.has_unsigned == 'true' && steps.check-comment.outputs.comment_exists == 'false'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          cat << 'EOF' | gh pr comment ${{ github.event.pull_request.number }} --repo ${{ github.repository }} -F -
+          ## ⚠️ Unsigned Commits Detected
+
+          This pull request contains unsigned commits.
+
+          ### What does this mean?
+
+          Signed commits help ensure the authenticity and traceability of contributions. They allow us to verify that commits actually came from the stated author, even if GitHub accounts are deleted or modified in the future.
+
+          ### Current Policy (Grace Period)
+
+          **This is currently a warning only.** We are in a transition period to give all contributors time to set up commit signing.
+
+          After this grace period, **all commits will be required to be signed** before PRs can be merged.
+
+          ### How to sign your commits
+
+          Please see our [Contributing Guide](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment) for detailed instructions on setting up commit signing.
+
+          ### Resources
+
+          - [Contributing Guide: Development Setup](../blob/main/CONTRIBUTING.md#setting-up-your-development-environment)
+          - [GitHub Docs: About Commit Signature Verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification)
+
+          ---
+
+          _This check will become mandatory in the future. Please start signing your commits now to avoid issues later._
+          EOF
+
+      - name: Success message
+        if: steps.check-commits.outputs.has_unsigned == 'false'
+        run: |
+          echo "✅ All ${{ steps.check-commits.outputs.total_commits }} commits in this PR are signed!"
+