You seem to think the only way to compromise hosted git trees is by manipulating the git tree from the file system. But what he would likely do is add himself to the Rails committers and do a legitimate commit. He needn't do it under his own name of course.
So, yes, this is a big deal. And it might not be such a good idea to trust a large unwieldy web application with your access keys. It might also not be such a good idea to write large web frameworks which by default gives anyone write access to your database fields unless explicitly told otherwise.