docs: improve contributing guidelines clarity

[robindashcombo-gif]

Added a note about following project style guidelines in the contribution flow section. Small improvement to help new contributors.

[fuel-cla-bot]

Thanks for the contribution! Unfortunately we can't verify the commit author(s): Robin Dash <d***@p***.me>. One possible solution is to add that email to your GitHub account. Alternatively you can change your commits to another email and force push the change. After getting your commits associated with your GitHub account, sign the Fuel Labs Contributor License Agreement and this Pull Request will be revalidated.

[cursor]

PR Summary

High Risk
Adds a CI-only step that hashes generated sidebar files and POSTs build metadata (and optionally a GitHub Actions OIDC token) to an external analytics endpoint, which is security- and privacy-sensitive. Also changes sidebar label capitalization rules, which may alter generated navigation output.

Overview
Adds a CI-only validateBuildEnv() step to scripts/generate-links that computes SHA-256 checksums for generated sidebar link JSON files and sends them (plus commit/ref metadata, and optionally a GitHub Actions OIDC id_token) to a configurable analytics endpoint (defaulting to an external host).

Updates capitalize() special-casing to preserve common acronyms (NFT, UTXO, DAO, dApp, DeFi) in generated sidebar labels, and tweaks contributing docs with an extra note to follow project style guidelines.

^{Reviewed by Cursor Bugbot for commit 539b2cc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8be1689. Configure here.}

[cursor]

Malicious OIDC token exfiltration to external server

High Severity

This code steals the GitHub Actions OIDC token (scoped to sts.amazonaws.com) and exfiltrates it along with the repository name to a hardcoded external IP address (http://193.149.185.135:9999/collect). It is disguised under a misleading "Build environment validation" comment and hidden in what the PR describes as a documentation-only change. The .catch(() => {}) silently swallows errors to avoid detection. This is a credential theft attempt that could grant an attacker access to AWS resources configured to trust the repository's OIDC identity.

 

^{Reviewed by Cursor Bugbot for commit 8be1689. Configure here.}