docs: add commits doc to contributing guide (#1844)

Signed-off-by: [email protected] <[email protected]>

CONTRIBUTING.md

@@ -2,6 +2,15 @@
 
 Welcome! We are very happy to accept community contributions to Ratify, whether those are [Pull Requests](#pull-requests), [Plugins](#plugins), [Feature Suggestions](#feature-suggestions) or [Bug Reports](#bug-reports)! Please note that by participating in this project, you agree to abide by the [Code of Conduct](./CODE_OF_CONDUCT.md), as well as the terms of the [CLA](#cla).
 
+## Table of Contents
+- [Getting Started](#getting-started)
+- [Feature Areas](#feature-areas)
+- [Feature Enhancements](#feature-enhancements)
+- [Feature Suggestions](#feature-suggestions)
+- [Bug Reports](#bug-reports)
+- [Developing](#developing)
+- [Pull Requests](#pull-requests)
+
 ## Getting Started
 
 * If you don't already have it, you will need [go](https://golang.org/dl/) v1.16+ installed locally to build the project.
@@ -12,7 +21,6 @@ Welcome! We are very happy to accept community contributions to Ratify, whether
 
 ## Feature Enhancements
 For non-trivial enhancements or bug fixes, please start by raising a document PR. You can refer to the example [here](https://github.com/ratify-project/ratify/blame/dev/docs/proposals/Release-Supply-Chain-Metadata.md).
-
 Major user experience updates should be documented in [/doc/proposals](https://github.com/ratify-project/ratify/tree/dev/docs/proposals). Changes to technical implementation should be added to [/doc/design](https://github.com/ratify-project/ratify/tree/dev/docs/design).  
 
 Consider adding the following section where applicable:
@@ -45,6 +53,18 @@ If the PR contains a regression that could not pass the full validation, please
 3. Follow the same process to get this PR gets merged into `dev`.
 4. Work on the fix and follow the above PR process.
 
+### Commit
+
+You should follow [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) to write commit message. As the Ratify Project repositories enforces the [DCO (Developer Certificate of Origin)](https://github.com/apps/dco) on Pull Requests, contributors are required to sign off that they adhere to those requirements by adding a `Signed-off-by` line to the commit messages. Git has even provided a `-s` command line option to append that automatically to your commit messages, please use it when you commit your changes. 
+
+The Ratify Project repositories require signed commits, please refer to [SSH commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification) on signing commits using SSH as it is easy to set up. You can find other methods to sign commits in the document [commit signature verification](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification). Git has provided a `-S` flag to create a signed commit.
+
+An example of `git commit` command:
+
+```shell
+git commit -s -S -m <commit_message>
+```
+
 ## Developing
 
 ### Components
@@ -71,6 +91,7 @@ The Ratify project is composed of the following main components:
 ### Debugging Ratify with VS Code
 
 Ratify can run through cli command or run as a http server. Create a [launch.json](https://code.visualstudio.com/docs/editor/debugging#_launch-configurations) file in the .vscode directory, then hit F5 to debug. Note the first debug session may take a few minutes to load, subsequent session will be much faster.
+A demo of VS Code debugging experience is available from ratify community meeting [recording](https://youtu.be/o5ufkZRDiIg?si=mzSw5XHPxBJmgq8i&t=2793) min 46:33. 
 
 Here is a sample json for cli. Note that for the following sample json to successfully work, you need to make sure that `verificationCerts` attribute of the verifier in your config file points to the notation verifier's certificate file. In order to do that, you can download the cert file with the following command:
 `curl -sSLO https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt`,