[delinka]

Just keep in mind that you're now at the mercy of github. Or whomever pwns their servers.

[eru]

You can salvage something from that idea: github is in the public eye. If they do something fishy, you'll probably now about it a month later.

So, for your login service you scrap github periodically, and only trust things that have been there a month ago already.

(A bit like ssh being vulnerable to MitM attack on the very first connection, but not afterwards.)