[travisd]

Parent comment is concerned with privacy, not authenticity. They're not worried that someone modified their code, they're worried that someone saw it.

[DistractionRect]

They specifically called out the need to review all code that ever interacted with github. The implication is that you can't trust it hasn't been tampered with.

[Spooky23]

The parent was assuming full compromise.

The risk of disclosure is pretty obvious with GitHub, and I’d assume anyone with low risk tolerance here is using something else, including the on-prem GitHub. I can think of a dozen higher risks.