From my understanding the checkmarx attack could have been prevented by the asfaload project I'm working on. See https://github.com/asfaload/asfaload

It is:

- open source

- accountless(keys are identity)

- using a public git backend making it easily auditable

- easy to self host, meaning you can easily deploy it internally

- multisig, meaning event if GitHub account is breached, malevolent artifacts can be detected

- validating a download transparantly to the user, which only requires the download url, contrary to sigstore