Unless for some reason someone imports one into their authorized_keys (which presumably would require deliberate steps not random numbskullary) in which case there is a (low) risk as they have just given a dev access to an account said dev does not know exists.
A cronjob on every one of my IoT crap devices, which sometimes stay stuffed in a shoebox without internet for years:
@reboot root ssh-import-id gh:my-username
That way when I want to tinker with one, it will pull down my newest GitHub once it reboots and I’ll be able to login. The GitHub key is always up to date.
Exactly. That would be the deliberate steps I mentioned as a gate for this causing a problem. If you give it someone else's key you have a problem, though a minor one unless you've been conned into doing so by an adversary who will later scan for accounts that allow their key pair for auth.
Importing your own public key this way is not problematical at all.
Of course you might end up with people publishing their private key along with the private one, by error or because it seems convenient & they don't think things through...
If you are needing to keep your identity hidden/ambiguous, then you need to be careful with your keys. Don't publish a public key if you don't want it to be public!
These keys and the ways people often used them are very much not designed with privacy as a priority: they are explicitly for proving who you are so you can be given access to something. Key management with regard to keeping different concerns separated is up to the user.
I think it's fine as long as you _know_ github is going to make it public. The only problem is that it's not at all obvious, as can be seen in this very thread.
Unless for some reason someone imports one into their authorized_keys (which presumably would require deliberate steps not random numbskullary) in which case there is a (low) risk as they have just given a dev access to an account said dev does not know exists.