(And it “feels wrong” because you’re making github an unchecked gateway to your website.)
Is it really an unchecked gateway though? Let’s say someone obtains my password to login to Github… WHICH I DOUBT! But even still… let’s assume they do. The could attempt to add a new SSH key to the account… but I’d be alerted of that. Let’s say they got my email too though… so I don’t know. They still can’t push to/pull from the server without getting control of that… which would be much harder. As long as I monitor the SSH keys associated with the account, I should be fine. Right??