I'm not sure, but I think it should be possibly to do a multisig, just like with btc transaction. Anyone can verify that k out of n keys signed.

Off the top of my head, projects with multiple code owners. 

Are there multisig nostr keys?

random_

Interesting. What problem would this solve? For instance, how is this better than just the owner broadcasting new version signed with his key (just like any nostr message)

phaedrus

bitcoin

Decentralized github - requirements

A project owner could commit the hash of the current version of their project to a taproot utxo. 

Proposed changes can be endorsed by the project owner by updating the utxo. 

Broadcasting the utxo could be seen as an official 'release'. Then use nostr to get the project from someone with a copy. 