The short version: be careful when pointing wildcard domains at servers you don't control because this allows anyone to set up a subdomain for your domain on that server.
So this article suggests not using a CNAME DNS entry and pointing your domain’s APEX entry at GitHub’s IP. You could also use an ALIAS record to point the ‘www’ part to GitHub too, though only a few DNS providers support ALIAS.
At first I saw their preferred method is an A record, but I used a CNAME, thank you very much.