git can use gpg to sign push actions, not just commits/tags. The resulting push signature can be used to generate a transparency log of which account pushed certain commits to any given branch, and when. It can also be used to outright reject unsigned or invalid pushes.
It would be really useful from a security perspective to advertise support for and process signed pushes, as an audit log feature. And opt in to enforcing this for all pushes for people who want to guarantee that all push actions are securely audited.