Signatures as integretycheck for every file in repo
Even with 2fa and https there are still some attack vectors on terminologit, that could be easily prevented through signed files. Every file in a Gitlab repo should be signed, maybe saved in the same repo or in a "mirror integrety repository" with only the signatures.
Edited by Nik