Yes, we should move away from SHA1. The bad news is that if you want to support Android releases older than 4.3, you have to continue signing APKs with SHA1. So attackers would have to create two SHA1 collisions: in the APK signature and the GPG signature. Plus the weakness in SHA1 is mostly related to when the attacker can pre-prepare the file being attacked. So someone could upload an app that is properly pre-prepared for SHA-1 collisions, but then why bother with a difficult SHA-1 collision when you could just stick the code into the app? Long story short, this is a very low risk vulnerability in terms of F-Droid.
If you want to track when this happens, it is best to file an issue in the admin tracker: https://gitlab.com/fdroid/admin/issues