[3np]

In theory, there is a solution to the PGP revocation issue that I think vibes with OPs desire:

Generate a long-lived root keypair (SC/C), the public key of which you add to the forge. You never sign directly with this. Instead you routinely generate new signing pairs. If compromised you hopefully only need to revoke the subkey so the blast radius is a lot smaller.

You could even do a three-tier one where you can keep the root key dead cold and literally lock it into a vault.

Last time I looked, this was not supported in GitHub, though; it only recognized signatures by explicitly trusted keys, not their signed subkeys.