Personally I dont like the way they do it, its hard to understand, if anything its convoluted.

In case of AWS, you add Github as an IDP (OIDC provider) and associate a role to it.

Github is now authenticating into AWS, scoped to the github repository where its configured and the AWS role it can assume

Its not really a typical OAuth2 or OIDC flow. And yes its better than storing the keys.

Github is not the OAuth client here.