I think a weakness with Github might be ssh-based pushes. Hopefully the user uses an ssh passphrase (typed at every remote git interaction, or typed once per session via ssh-agent. MacOS does something special with their secure enclave thing.)

But how do you secure that against the threat of a keylogger running on a developer's Linux machine? Am I overthinking here? Is it already game over if the attacker runs software on that developer's machine?

You can use FIDO security keys with SSH and a keylogger would be useless unless someone has physical access to your security key.

Can this be "emulated" on macOS with the keychain?

Secretive might be what you're looking for: https://github.com/maxgoedjen/secretive