As long they don't sign their commits, no.
Jason sometimes directly committed stuff to https://github.com/Whonix. (I'll review that, since I have to stay on top of developments and because I cannot push before I fetch and merge anyhow.) So I'd have to add a useless commit on top if we wanted to create a release out of that git head.
For others who provide git branches in git forks such as troubadour with https://github.com/troubadoour/whonix-repository-wizard (unsigned git commits), I also review for non-maliciousness and security issues before merging. For example.
git diff troubadoour/master
And also check the log doesn't contain anything crazy.
git log master..troubadoour/master
Just now did set "never use fast forward merging" option in git.
git config --global --add merge.ff false
This will force to always make a merge commit. And that merge commit will be automatically signed by me.
But I don't think we should force everyone who commits to gpg sign their commits. Wouldn't be that useful for pseudonymous contributors. (Would still have some use for long term contributors.)