For example, if 5 devs submit signatures for their locally built programs/libraries, then a github build system cannot be corrupted or produce unexpected results because none of the signatures would match.

So now an attacker would need to corrupt 5 dev computers or the public source repository (and remain undiscovered), because corrupting one dev is no guarantee.