So you are ok with 2FA, right? If you contribute code there.
Now - what if you are not ok with it? What can you do?
> Almost offensively usable
I think you conflate two points here. One is how useable github is. The other is: control. At which point are you no longer ok with what a private company does? This is not solely about Microsoft alone by the way.
> So you are ok with 2FA, right?
Yes. Are you not? It's one of the most effective measures to prevent a whole class of supply chain attacks. On Github the 2FA is also flexible enough to allow non-hardware passkeys, so you can choose a privacy preserving option with good UX.