There are some nice options might be worth to look at and enable whats important on github:
For branches there is for e.g Require singed commits:
There is as well code and security scanner if we go to code and security analysis: (E.g sonarqube/cloud can be integrated easily from here)
Related:
I don’t think we can get any security advantage from this. It’s a security feature provided by a third-party server. “Commit is signed” is meaningless because creation of an arbitrary signing key is cheap. All Kicksecure / Whonix git commits and tags are signed. Those by contributors might not be signed but I have to carefully review, merge and sign these. Whenever users download source code, they can end-to-end verify it against my signing key.
It’s more like policy tools useful to enforce policies for big organizations.
You’d have to suggest a specific threat model where and how some specific setting would help.
