[viraptor]

> and never merge/push a change that won't pass tests/CI.

This can be enforced as well. For example using Gerrit + some CI, you can allow people to submit a branch to be merged, but it's up to the CI to merge it if it passes all checks. There's no "aren't allowed" anymore. (Which is great because people will make mistakes)

One thing to keep in mind though is you're describing a system that works for a continuously deployed web service for example. Once you have a product with versions, you need to have a system for previous releases, backporting patches, security/point updates, etc. It's a completely different game at that point.