This isn't completely correct yet. Looking at how Dependabot does it, commits are created with the author dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> and the committer GitHub <noreply@github.com>

This is how pull requests and commits made through the file uploader/editor on GitHub.com are created as well. The author being the noreply email from the current user and the committer being GitHub <noreply@github.com>.

That email Dependabot uses is an actual account: https://api.github.com/users/dependabot-preview%5Bbot%5D

It turns out that GitHub Actions has an account tied to it as well: https://api.github.com/users/github-actions%5Bbot%5D (You'll have seen this account show up if you use ${{ secrets.GITHUB_TOKEN }} to create a pull request for example.)

So ideally, a commit made by a workflow should be created with github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> as the author and GitHub <noreply@github.com> as the committer.