They do it to prevent passwords, which allow access to privileged things like account settings, from being stored (and thus subject to being accidentally leaked).
It doesn't matter how long your password is if your password is in a text file with bad chmod permissions to people who shouldn't have it.
An access token, at least, limits the blast radius.
I doubt this "saved passwords" is the issue, but people choosing guessable passwords. Especially with the bit-coin attacks on the Github CI sandboxes, thee attackers don't care about the repo that much but they want access to the X% of github accounts that use a top 100 or top 1000 password, so they can get in and start mining.
Ah get it. They don't want the password to login on github to be the same as the one you store on a text file. Makes sense. But it is still Baby-sitting
What you describe as "baby-sitting", I would call "encouraging users to fall into the pit of success."
Many, many GitHub users are not professional software developers, and many more than that are not security-minded users at all. Small incremental improvements like this are a kind of defense in depth, and it is valuable.
And we have fifty years of software development history to prove we need this kind of babysitting. It’s a pain one time and then you realize it wasn’t hard to do and start doing a better practice out of habit.
Eh, I think everyone stands to benefit when a service increases their security standards in a reasonable way. Fewer account recovery support requests for them, fewer footguns for inexperienced users of theirs.
Do you consider password length requirements baby-sitting?
It doesn't matter how long your password is if your password is in a text file with bad chmod permissions to people who shouldn't have it.
An access token, at least, limits the blast radius.