It’s still GitHub’s fault for not communicating this clearly enough.
The problem really is, why does “Sign in with GitHub” grant permissions to act as the user on GitHub? Shouldn’t that be called something else like “Allow nopecha.com to Act as You”?
I would argue that the words “Sign in with X” should NEVER grant any other permissions than needed for being a pure auth proxy.
Unless I'm mistaken, the "Sign in with GitHub" referred to by the OP was a styled button on the attacker's site, entirely in their control. There's no way to force a site to be well-behaved about this. The question is entirely whether Github's warning was reasonable here. What others have noted is that at the very least, even if "starring" wasn't mentioned, the OP did give the attacker full read/write privileges to their public repositories.
You can think that Github should improve their processes on the permissions presentation front, and still think that agreeing to this was a massive fuck up by the user.
The problem really is, why does “Sign in with GitHub” grant permissions to act as the user on GitHub? Shouldn’t that be called something else like “Allow nopecha.com to Act as You”?
I would argue that the words “Sign in with X” should NEVER grant any other permissions than needed for being a pure auth proxy.