Currently, requiring signed commits (the only way to prevent this) would be a massive breaking change, as I would guess that 90%+ of GitHub users don't use GPG to sign their commits. However, they may be able to make that opt in, although it could very well break a ton of automated scripts and would completely break things like squash merging or rebasing by a maintainer.
I was thinking more along the lines of simply checking the email of the (real) commit author against the "email" used in the Git commit. Would this not be possible?
For example, if I were to 'git clone' a project currently on gitlab, create a github repo for it, add that origin, and push... Well, that pushes commits authored by every single person who ever committed to that other repository. Do I have to make all of them re-push only their own commits in order? Can robots not mirror repositories anymore? What about commits authored by people without github accounts?
There's also the obvious issues of me merging a coworker's commit into my branch, or cherry-picking, or rebasing a third-party contributor's commits to update them before merge.
I think the case of "push an existing repo with N authors to a new repo" is a really compelling reason though for why that sort of "you can only push commits with your email" thing would not work.
I feel like anyone would expect this to be guarded against though. There may not be a particular reason to "need" it, but the fact it's even possible is ridiculous.
Consider that I can pull a branch from someone else's repo (even if that repo is not on GitHub), merge it into my own fork of something, and then push all of that to GitHub.
All of the commits in that branch I pulled, regardless of who committed them (not me, presumably) should still be attributed to their original authors, and that's what will happen on the fork I push to GH.
This is fundamentally necessary to how the distributed nature of git works. If you want to assure others that commits really came from you, you need to sign your commits. But so few people do that, so the default is just to trust that commits are from who they say they are.
Perhaps GitHub could have a feature whereby you could toggle a setting so they won't link a commit to your GH user account unless it's signed by you. That still comes with its own problems (like say you submit a PR to some project, but the maintainer rebases master onto your branch before merging, which will kill the signatures).
But still, signing every commit is not really necessary. I personally only sign release tags, which implicitly cover all commits leading up to those releases.
