I think it’s because from GitHub’s standpoint, OP looks just like a bad actor who took $5 to allow someone to use their account to Star 500 repos, and says the same things.

GitHub is taking the “ban them all and let God sort ‘em out” approach to figuring out if OP is telling the truth.

You realize that the oauth token is tied to the client app, right? Not only can GitHub see that this action was taken by/through a third party service, they can also see all actions taken by that service across all users. So there are much better ways to detect and correct the abuse.

All oauth tokens are authorized by users. So GitHub sees the app and sees the users who authorized the app. Users are responsible for all the bots that act in their names.

Otherwise it would be quite simple to write a malbot and then claim innocence because it was the bot doing it, not me.

I think the approach to automation is best when the authority and responsibility always ties back to an individual or group.

Presumably the OP would also have been aware that they were giving this third-party app the ability to rewrite the code on any of their public repos.

I automatically decline the moment I see any app trying to authorize with that scope.

Nonetheless, perhaps this is pointing to Microsoft’s Window’s UAC moment for GitHub.

Bright yellow or red UX with warnings that if you click “agree” then you might as well have given away your computer to a malicious actor.