@asanso reported that a user could use an unverified email when creating a commit with the web-editor on GitHub.com. Commits made via web edits on GitHub.com are signed using GitHub’s key. This resulted in GitHub.com signing a commit with its key for an arbitrary, unverified, email address. We addressed this issue by validating the author’s selected email had been verified before allowing them to use it to commit via GitHub.com’s web edit flow.