feat: governance improvements

[krancour]

This introduces automated contribution governance to formalize and
streamline how issues and pull requests are triaged, reviewed, and
processed. The goal is to make contribution policies self-documenting,
consistently enforced, and low-overhead for maintainers.

GitHub Actions are notoriously hard to test. This has been tested exhaustively in a fork.

Issue Templates -- Converted to YAML Forms

Bug report and feature request templates have been converted from
markdown to GitHub YAML issue forms. YAML forms enforce required fields
at the GitHub UI level -- submitters cannot skip them.

• bug_report.yml: Requires description, steps to reproduce, expected
  behavior, actual behavior, and Kargo version.
• feature_request.yml: Requires proposed feature and motivation.
  Includes a prominent notice that feature requests are not guaranteed
  to be implemented, and that work should not begin until all blocking
  labels have been removed by a maintainer.

Blank issues are now disabled (blank_issues_enabled: false). GitHub
natively exempts maintainers from this restriction.

PR Template

A new pull request template (.github/PULL_REQUEST_TEMPLATE.md)
establishes clear expectations for all PRs:

• Must reference an existing issue using Closes #<number>
• Checklist covering issue linkage, blocking labels, testing,
  documentation, and DCO sign-off
• AI Use Disclosure section for transparency on AI-assisted contributions
• Cryptographic commit signing noted as preferred (not required)

Automated PR Policy Check

A new workflow (.github/workflows/pr-policy-check.yaml) runs on every
opened pull request and enforces the issue-first contribution model:

• No linked issue: If the PR body does not reference an issue, the PR
  is labeled policy/no-linked-issue, a comment explains the policy, and
  the PR is closed.
• Blocked issue: If the linked issue carries any blocking label, the
  PR is labeled policy/blocked-issue, a comment identifies the specific
  blocking label(s), and the PR is closed.

Blocking labels:

• Process: kind/proposal, needs discussion, needs research
• Scope: maintainer only, area/security
• Size: size/large, size/x-large, size/xx-large

Maintainers (org members) and bots are exempt from all automated checks.

Slash Commands

A new workflow (.github/workflows/slash-commands.yaml) provides
maintainers with quick-response slash commands for common governance
actions. Commands are posted as issue or PR comments and trigger
automated responses. Behavior is context-aware -- issue commands and PR
commands are handled by separate jobs with tailored messages and actions.

Issue commands:

Command	Action
/discuss	Add needs discussion label; comment that discussion is needed before work begins
/duplicate #N	Label duplicate, comment, close
/enterprise	Comment that the feature is planned for Kargo Enterprise, close
/maintainer	Add maintainer only label, comment
/research	Add needs research label; comment that research is needed before work begins
/unblock	Remove process-blocking labels (kind/proposal, needs discussion, needs research), comment
/help	Show available issue commands

PR commands:

Command	Action
/discuss	Add needs discussion label; comment that discussion is needed before merge
/duplicate #N	Label duplicate, comment, close
/enterprise	Comment that the feature is planned for Kargo Enterprise, close
/maintainer	Comment that linked issue is maintainer-only, close
/premature	Comment that linked issue has not been unblocked, close
/quality	Comment that PR does not meet quality standards, close
/research	Add needs research label; comment that research is needed before merge
/unblock	Remove blocking labels, comment that PR is unblocked for merge
/unsolicited	Comment that PR has no linked issue, close
/help	Show available PR commands

Only maintainers (org members) can trigger slash commands.

Contributor Guide

The contributor guide (docs/docs/60-contributor-guide/index.md) has
been rewritten to clearly document:

• The issue-first contribution model and step-by-step process
• All blocking labels and what they mean
• Automatic enforcement and what triggers it
• Quality expectations, including expectations around AI-assisted
  contributions
• Response time expectations and etiquette guidelines

New Labels Required

The following labels must be created before merging:

• policy/no-linked-issue (yellow) -- Applied to PRs with no issue reference
• policy/blocked-issue (yellow) -- Applied to PRs whose linked issue has blocking labels

Future Considerations

This implementation uses GitHub Actions, which is well-suited for
proving out the governance model and iterating on the specific policies
and messaging. If the results are positive but the response latency of
Actions (~5-15s cold start) proves to be a concern, the logic can be
ported to a GitHub App with minimal effort for near-instant webhook
response times.

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	5d3c685
🔍 Latest deploy log	https://app.netlify.com/projects/docs-kargo-io/deploys/69dae8eea3e7330008a55c7c
😎 Deploy Preview	https://deploy-preview-6065.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 57.28%. Comparing base (7da14bc) to head (5d3c685).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #6065   +/-   ##
=======================================
  Coverage   57.28%   57.28%           
=======================================
  Files         470      470           
  Lines       39659    39659           
=======================================
  Hits        22717    22717           
  Misses      15588    15588           
  Partials     1354     1354           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[krancour]

I've actually been toying with porting the policy enforcement and slash command scripts to a proper GitHub App today. I'm going to choose not to merge this yet because I end up wanting to skip straight to doing things that way instead.

[krancour]

Closed in favor of #6077