They should require you to log into Github and use the full Github UI for any app permissions beyond saying knowing which github account it is.

I.e. the flow is

1. Auth by Github

2. App says "thanks, now please log into your github account and grant the following permissions, X, Y Z"

3. User logs into github.com, goes to account page and grants whatever they fell is necessary

4. App now has permissions.