fix: broaden commit signing language from GPG-only to all methods

[JacobPEvans]

Summary

• Update all 7 PR templates: All commits are GPG signed → All commits are signed
• Update CONTRIBUTING.md: broaden signing section to acknowledge automated signing (Copilot, Renovate, GitHub Actions)
• Update README.md: GPG-signed commits → Signed commits

GitHub now supports GPG, SSH, S/MIME, and native app signing. Copilot cloud agent
started signing commits on 2026-04-03.
The old "GPG signed" language was overly specific and excluded valid signing methods.

These are org-wide inherited defaults — changes propagate to all repos without overrides.

Closes JacobPEvans/ai-workflows#126

Test plan

• Verify inherited templates render correctly on a repo without overrides
• Confirm Copilot cloud agent can create signed PRs (test issue: fix: rename 'Copilot coding agent' to 'Copilot cloud agent' ai-workflows#126)

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the project's documentation and pull request templates to adopt more inclusive language regarding commit signing. By shifting from 'GPG-signed' to 'Signed', the project now correctly acknowledges modern, automated signing methods supported by GitHub, ensuring the requirements remain accurate as the development workflow evolves.

Highlights

• Broadened Commit Signing Requirements: Updated all pull request templates and documentation to reflect that commit signing is not limited to GPG, but includes all supported methods like SSH, S/MIME, and native app signing.
• Documentation Updates: Revised CONTRIBUTING.md to clarify that automated tools like Copilot, Renovate, and GitHub Actions handle signing automatically, and updated the human contributor section accordingly.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

The GPG lock was once the key, But now the gates are wide and free. With SSH or native sign, Our commits now all align.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

Broadens repository guidance from “GPG-signed commits” to “signed commits” to reflect GitHub’s multiple supported commit-signing methods and to accommodate automated tooling signatures.

Changes:

• Updated README and PR templates to require “Signed commits” instead of “GPG-signed commits”.
• Updated CONTRIBUTING commit-signing guidance to acknowledge automated PR signing via GitHub app/native signing.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
README.md	Updates PR template requirements summary to “Signed commits”.
docs/CONTRIBUTING.md	Broadens commit-signing language and adds note about automated PR signing.
.github/PULL_REQUEST_TEMPLATE/refactor.md	Replaces “GPG signed” checklist item with “signed”.
.github/PULL_REQUEST_TEMPLATE/pull_request_template.md	Replaces “GPG signed” checklist item with “signed”.
.github/PULL_REQUEST_TEMPLATE/performance.md	Replaces “GPG signed” checklist item with “signed”.
.github/PULL_REQUEST_TEMPLATE/feature.md	Replaces “GPG signed” checklist item with “signed”.
.github/PULL_REQUEST_TEMPLATE/docs.md	Replaces “GPG signed” checklist item with “signed”.
.github/PULL_REQUEST_TEMPLATE/bug.md	Replaces “GPG signed” checklist item with “signed”.
.github/PULL_REQUEST_TEMPLATE/breaking.md	Replaces “GPG signed” checklist item with “signed”.

Comments suppressed due to low confidence (1)

docs/CONTRIBUTING.md:56

• The new wording broadens commit signing beyond GPG, but the “Human Contributors — Getting Started” steps still describe only generating/configuring a GPG key. This reads as if GPG is still the required method. Consider updating this section to explicitly list the supported signing options (GPG / SSH / S/MIME) and link to GitHub’s commit signature verification docs for each, or rephrase the steps as one possible path (GPG) among others.

### Human Contributors — Getting Started

If you've never signed commits before, don't worry—it only takes a few minutes to set up:

1. **Generate a GPG key** (if you don't have one): Follow [GitHub's guide on generating a GPG key](https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.