Does it solve anything? I don't see this as a GitHub problem, it's a "we built a dependency management system with untrusted publishers" problem.
GitLab's `include` feature has the same concern. They do offer an integrity check, but it's not any more capable than hash pinning to a commit.
Fundamentally, if you offer a way to extend your product with externally-provided components, and you can't control the external publishers, then you've left the door open to 'these issues'.
