Controls 10.1.1 + 10.1.2

1 - Working for a company that does not store any of the data in house and handles software development in github, how would we apply cryptography?

We are not GitHub experts, so our recommendation to you is to consult GitHub staff to see how to apply cryptography to data at rest in your repositories.
Maybe these links can provide some information:  

• https://gist.github.com/polonskiy/7e5d308ca6412765927a96bd74601a5e
• https://github.blog/changelog/2019-05-23-git-data-encryption-at-rest/

2 - I understand you need certain processes to include encryption, but I don't quite see where I could use it.

You can use the results of risk assessment and identified applicable legal requirements (e.g., laws, regulations, and contracts), to build an understanding of where to apply cryptography.

For example, from a contract with a customer, you can identify a clause demanding that all codes developed for that customer must be encrypted, or the results of risk assessment demonstrate that a specific module represents a competitive advantage to your company, so keeping the confidentiality of that code through encryption can be a solution.

For further information, see:

• How to use the cryptography according to ISO 27001 control A.10 https://advisera.com/27001academy/how-to-use-the-cryptography-according-to-iso-27001/

3 - We use SSH tunnels for an encrypted connection from computers into secure coding environments, but how could we use this in our policy?

You can define the use of SSH tunnels in section 3.1 of the Cryptographic Policy. For example: