[blep_]

(I don't work at Github, these are inferences from working on other cloud services)

> Does this mean Github staff can basically take over any private account without contacting the owners?

That's an incredibly common feature to have on the admin side. Three of the four companies I've worked at have had some form of "log in as this user" button, with general guidance to not do anything dumb. The fourth had good reasons for not supporting that, but it made debugging anything happening in production incredibly annoying.

> Could they quietly manipulate my own repos by changing my ssh key and pushing commits?

They _literally own the servers_. They don't need your ssh key. Likely not _everyone_ has direct filesystem access, but at least a few people do.

By hosting anything on a cloud service, you are trusting the people running that service. If you don't trust them, don't do that.