I don’t understand this attitude at all, it’s significantly more secure than password auth, takes less than 5 minutes to correct, and you only need to do it once. It takes approximately as long as you typing out your comment.
The entire software industry has occasional change, and I have a hard time believing that 5 minutes to update your account to use a more secure system is that much of a burden (they even provide you a link to the docs!). You seem to have some other reason for really taking a stand about this.
You don't have to understand my attitude, but you might want to be aware that this is a real phenomenon, occurring regularly in the world around you, and take it into account if you happen to be thinking about so-called "software supply chain" issues.
I'm not actually taking a stand about anything; github can do whatever they please. I'm just sharing a funny story from my recent life which illustrates a point from this article: there is no software supply chain, there is only an army of volunteers bearing gifts. If you try to demand that these volunteers raise their standard of gift-wrapping, no matter how small and reasonable a request that may seem to you, some of 'em just won't show up anymore.
Of course I have spent more time here talking about the problem than it would have taken to fix. So what? This conversation is fun! I am happy to spend my free time this way. When I choose to spend some of my precious free time on grungy, irritating chores, however, there's a long list I would rather deal with before this nuisance from github would come up: washing the dishes, taking out the trash, running the laundry, sweeping the floor, scrubbing out the toilets... those all being activities which improve my environment in ways I actually care about.
But it's not more secure than password auth. My passwords are not guessable, by anyone. Period. You are assuming passwords are guessable; they are not. They are not reused. They are not crackable. It's utter bullshit that an SSH key pair is more secure than passwords done right.
"But what about a keylogger / what if your password manager is compromised / etc." if someone has root access to my machine and can read my encrypted documents or log my keystrokes, the game is up for an SSH private key as well. There's no reason to say my SSH private key sitting on my hard drive is more secure than my GitHub-specific password sitting (encrypted) on my hard drive.
SSH key pairs are more secure on average because passwords are used by everybody and SSH key pairs are used by security nerds. That's it. That's all there is.
The entire software industry has occasional change, and I have a hard time believing that 5 minutes to update your account to use a more secure system is that much of a burden (they even provide you a link to the docs!). You seem to have some other reason for really taking a stand about this.