Signed browser plugins with hardcodded checksums sound like the most practical/obvious solution.
I mostly like this idea, however 'hardcoded checksums' sounds like it could be a pain since many of these projects are updated every couple months. Any way to make the checksums more flexible?
Not being 'flexible' is what makes them useful. This means that the websites should not be updated regularly. To be fair, you do have to follow a policy of seldom updates if you want to provide a strong sense of trust on the users.
If the checksum is presented to the user, after a while (s)he gets familiar with it. If you provide a link to a specific revision on github, the users could manually check the code once and rely on the checksum from that point on. Then, seeing the same checksum every time would make them familiar with it, and it would raise suspicion if something else shows up.
Scheduled and seldom site updates are not convenient for the site maintainer, but in the end, what we want is a site which content we know.
If your site states: "next scheduled update: mars 15", then on mars 15 I would be cool if the checksum is not the one I usualy see. Then I could head up to bitcointalk.org and see the new checksum signed by the same pgp key.