Document the removal of CD without maintainers

Author: daniel-beck

README.md

@@ -98,11 +98,15 @@ cd:
   enabled: true
 ```
 
+For this to work, there needs to be at least one developers listed.
+If the list of developers is empty or missing entirely (e.g., after the last maintainer steps down), no new releases can be published through JEP-229 CD.
+
 **IMPORTANT:**
 When using JEP-229 CD, [every committer to your repository](https://www.jenkins.io/doc/developer/publishing/source-code-hosting/) can create new releases by merging pull requests.
 As a result, the list of maintainer accounts maintained in your plugin's YAML file is no longer the single reference on who can publish new releases.
 Be sure to check [which users have commit access](https://www.jenkins.io/doc/developer/publishing/source-code-hosting/) to your repository and remove any that are unexpected before enabling CD, as well as any unexpected [deploy keys](https://docs.github.com/en/developers/overview/managing-deploy-keys).
 Additionally, the users listed in this repository still serve as the contacts for security issues and plugin/component governance questions.
+For that reason, CD permissions are also only granted to components with at least one maintainer.
 In particular, the Jenkins security team will _not_ make an effort to reach out to GitHub committers when maintainers (and security contacts, see below) are unresponsive before [announcing vulnerabilities without a fix](https://www.jenkins.io/security/plugins/#unresolved).
 
 It is also possible to enable JEP-229 CD exclusively, i.e., the listed users will not be able to create new releases, but remain contacts for security issues and plugin/component governance questions.