it's not just a random token "signed by github", a token containing the runtime context it was requested in (repo, branch / commit, build, etc)

see the fields in https://docs.github.com/en/actions/security-for-github-actio...

the level of attestation you want (essentially bound to tpms) would probably be very difficult to provide given how all sorts of images run in a typical ci pipeline.