On the source code side, I quite like the way Guix does things, i.e. needing every commit to be gpg-signed. They even have a handy tool for verifying the repo[0] but I'm not sure how viable this is for non-OSS projects.

[0]: https://guix.gnu.org/manual/devel/en/html_node/Invoking-guix...