This is the most interesting question. The company is based in Canada so supposedly Canadian laws would apply but I suppose it depends on where the Gitlab instance is hosted. Also the author cannot argue that they were bug hunting in good faith as an ethical security researcher would cease activity after breaching the repository and report their findings. If American laws apply the CFAA is extremely selectively enforced but if I was the author of this I would be extremely fucking concerned about going up against the Trump entourage.
According to the first article, the code was hosted with a custom version of Gitlab, with the register link still functioning. Once an account was created all the repos were public. If that's true, then it's a public site being accessed through features of the site.
I'm sure it also depends on if the site was intended to be accessed "publicly" or not. Let's say, visually, all registration links were removed, but (as someone with internal knowledge of GitLab here did) could "breach" into the registration page.