@mikaela
I think that Githubs logic is correct because hypotheticaly attacker who got your signing keys could also commit, and Github does not know for how long has been attacker doing those commits (maybe dev has been on vacation, lost access to his/her keys etc) so Github has no choice but to revoke all commits for sake of end user.