@mattly I did talk to the GitHub team about this stuff, for -hours-, however they are convinced even offering code-signing or signed code reviews as -optional- would make people feel pressured to do such things, and contribute less code, so thus they will never do it.
Instead, they force 2FA on developers and make them want to contribute less code anyway, a change that does not actually solve the problem.
Microsoft/Github have lost the plot. Or they never had it.
I recommend Codeberg.