Signing of the repo contents (commits/tags) doesn't help anyhow with user ssh keys. If the automation gets the keys from github it effectively trusts github completely, irrespective of the situation with repos.
Additionally, if you use gpg to build your ssh keys and have a trust/sign chain you could then pull this stuff with impunity as long as you keep the trust chain issues sorted.