Major new feature is the signature job and signing in the build job.

Many different scenarios are possible:

Use the gitlab CI variables to directly sign commits in the build job.
Depending on how variables are configured this will sign all branches.
To restrict the branches you one can make them only available in
protected branches.

Another method is to use the sign job. This job can then be extended
with rules to e.g. only run on branches distinct from the main branch,
because you'd like to sign commits on main branch manually with a
different more secure key. Or only execute the job on protected branches.

Apart from gitlab CI variables the GPG credentials might also be
provided fully or partially through the gitlab-runner. With the runners
env configuration it can override or add the credentials on the fly.
The benefit with this is that you can distribute e.g. the key and it's
passphrase through different machines with different access levels.
This way someone with access to the gitlab repo will not automatically
gain acccess on the full gpg creds. Keep in mind that a runner
configured like that is now confidential and that all jobs could leak
the GPG key or passphrase.