This is easy to do with Git with a pre-receive hook. Of course, this requires that you are actually able to install hooks, and for obvious reasons, GitHub doesn’t allow you to upload arbitrary executable files to run on their servers 🙂

In general, the workflow with Git or really any distributed version control system, is that you don’t allow other people to push to your repository. Instead, you pull from theirs. This requires a much lower level of trust. So, this would be workaround number 1: don’t let them push, have them fork and then pull from them. That way, you can control what goes into your repository.

Another workaround would be to set up your own staging repository on a server you own, where you can install your own Git hooks. You can configure a pre-receive hook which denies pushing if it’s not a fast-forward and post-receive hook which automatically forwards all pushes to GitHub. Of course, this means that you lose many of the benefits of using GitHub in the first place.

As a third workaround, you could use multiple repositories. This is a combination of the two other approaches: have one repository that your collaborators can push to and another one that only you have access to, that you pull into from the first repository.

At any rate, you should file a feature request with GitHub (especially if you are a paying customer!) since this seems to be a useful feature.