Report a fail status when skipping the CI on untrusted pull requests

[gilles-peskine-arm]

We do not run the main CI automatically on pull requests from external contributors who have not been approved individually. The way this works is that the CI script runs, detects that the pull request is untrusted and stops immediately. This results in a pull request that has two green ticks (from DCO and readthedocs) plus one pending status (the required check for pr-head) which will never complete without manual intervention. To a casual eye, this looks like a passing CI, but it's actually an incomplete CI. We should make it apparent that the CI hasn't run and manual action is needed.

The goal of this task is, when giving up on an untrusted CI, report a non-success status (pending or error), with a description indicating what is happening in a way that is comprehensible by newcomers.