Many open-source projects now require contributors to agree to a Developer Certificate of Origin, primarily this one. Legal departments of open-source companies are particularly fond of it.
It is sufficient to state conspicuously in CONTRIBUTING that all contributors agree to the DCO, for example:
## Certificate of Origin By contributing to this project you agree to the Developer Certificate of Origin (DCO). This document was created by the Linux Kernel community and is a simple statement that you, as a contributor, have the legal right to make the contribution. See the DCO file for details.
And add the text of the DCO to the repository (preferably in the root directory, though in Pacemaker's case devel could be a good choice as well).
Alternatively or in addition, projects can require every commit to be "Signed-off-by" in which case github.com/apps/dco can be used to enforce the requirement.
This should be brought up with the community, particularly the users and developers lists, and if there is a consensus, then ideally all ClusterLabs projects should adopt it around the same time. Clear instructions for contributors should be posted on the ClusterLabs.org website and in the Pacemaker Development book.
Somewhat related, we might also want to encourage (but should not require) contributors to sign the GPL Cooperation Commitment.