I'm not trying to find an attack vector, I'm trying to find a threat model where relying on non-signed commits on master is insecure, but relying on commits signed by the github key is secure.
If you are looking at and trusting github UI/API anyway as part of your verification, then you might as well just look at the green "verified" badge without actually verifying the signature locally. At which point actually signing by the github key is just useless ceremony.
Again, I’m not sure I understand your point. The verification is a strong attestation by GitHub how that commit came to be. Without the verification I know absolutely nothing about the authorship of the commit.
If you are looking at and trusting github UI/API anyway as part of your verification, then you might as well just look at the green "verified" badge without actually verifying the signature locally. At which point actually signing by the github key is just useless ceremony.