even if you can manufacture a hash collision, there really isn't a good way to use it to attack a (remote) git repository.
If you have $150k to drop on creating a hash-collision, you can afford someone to hack the remote system. Most systems are not properly secured.
Even then, if someone has a "clean" copy of the file you're colliding with, makes a modification to that and re-commits, your malicious file will be overwritten wholesale by the new version of the non-malicious file
Same could be said about the malicious file.
"Of course power tools and alcohol don't mix. Everyone knows power tools aren't soluble in alcohol..." -- Crazy Nigel