@joeyh One option I do is upload my gits either to IPFS or Beaker Browser. I recently made my own Git repository on my own page in Beaker.
What you'd do is have an iframe of source code to see what it contains, see if you can trust it, and then a download link to the tarball.
And it would be decentralized as well.