Github can't verify you actually committed a change unless it's signed. You can set whatever email address you want on any commit.
They could verify who pushed it to github, since that action is authenticated, but restricting pushing other people's commits would break many workflows (eg, a bot pushing from a local git server), or a reviewer pushing code sent to a mailing list, or resolving conflicts in a merge locally.
You can also verify the GPG key independently of Github. Perhaps your CI system could verify all commits it builds are signed, and your deployment system could too. There's no need to use Github as the authoritative source for that sort of thing.
They could verify who pushed it to github, since that action is authenticated, but restricting pushing other people's commits would break many workflows (eg, a bot pushing from a local git server), or a reviewer pushing code sent to a mailing list, or resolving conflicts in a merge locally.
You can also verify the GPG key independently of Github. Perhaps your CI system could verify all commits it builds are signed, and your deployment system could too. There's no need to use Github as the authoritative source for that sort of thing.