What if there are people outside letsencrypt who want to contribute and can’t use gpg because of regulations or something or simple don’t want to use there private email to sign commits for a public repository? Think about the folk from the HackTeam where GitHub connected the repo with there private profiles
Basically you can’t enforce to commit and merge only signed. An attacker in this case had the ability to commit, open a PR, merge it to (master, release and staging branch) and to close it seconds before LE starts to upgrade there systems which is publicly announced.
But therefor a white hats like me where report such incidents to the people responsible for it. ISRG revoked the api key, committed the fix and merged it to the master branch within 2 hours and 18 minutes with https://github.com/letsencrypt/boulder/pull/1827 which is fast I think.