You can enforce it on your git server. My experience is with Bitbucket but I'm sure Github has the same options. You could set up something like: nobody can push to master except through the PR UI, all PRs must have a reviewer, no PR can be merged to master without being approved by all reviewers. That way you guarantee that everything on master can be tracked to a dev + a reviewer giving sign off.

Sure but who admins the git server? At work it's actually me (and my team) - we have backend access to the git repos as a necessary result of that. While it would be tricky to hide changes, if people only merge via PR it would be easy to bury a few extra commits no one worries about provided they don't break anything.