The root can't be a CNAME because no other record with the same name aside of a CNAME can exist. Your domain root also has one SOA and two NS records (and probably one more more MX records if you want to receive mail)
See RFC 1912 (Section 2.4)
Edit: Done, seeing changes will need an F5.
It'll 302 redirect naked domains to www.domain, which will resolve to whatever you've configured it for.
This should let you chain A -> 302 redirect -> CNAME and bypass the GitHub DDoS protection.
Most DNS hosts offer some mechanism for forwarding traffic from your apex domain to the www subdomain using a 301 (permanent) redirect. Then the www subdomain can be configured with a CNAME record.
For example, at Brace (http://brace.io) we offer a guide for configuring this if your domain is on godaddy. See step 3 at http://blog.brace.io/2014/01/19/custom-domains-godaddy/. (not an endorsement of godaddy)
(edited for clarity)