move `verify github attestation` out of SLSA_EXPERIMENTAL

[loosebazooka]

The github attestation spec is stable. So there really shouldn't be too many issues here. If we want BCR users to use slsa-verifier, it would make sense to make this a GA feature.

The one issue with this is that we still have a pre-set list of blessed "github attestation" providers, but we could change this section a bit to allow ANY builder for github attestations if we want wider coverage.