Unless I'm mistaken, the "Sign in with GitHub" referred to by the OP was a styled button on the attacker's site, entirely in their control. There's no way to force a site to be well-behaved about this. The question is entirely whether Github's warning was reasonable here. What others have noted is that at the very least, even if "starring" wasn't mentioned, the OP did give the attacker full read/write privileges to their public repositories.
You can think that Github should improve their processes on the permissions presentation front, and still think that agreeing to this was a massive fuck up by the user.
You can think that Github should improve their processes on the permissions presentation front, and still think that agreeing to this was a massive fuck up by the user.