- Download all the source code and look for vulnerabilities at their leisure.

- Depending on whether they use GH for deployments they can also introduce features to production that can help them

As an example, there is a hacking group tracked as "Atlas Lion" that has been persistently targeting large retailers' internal systems to steal gift cards that they resell on gray markets for a profit.

I don't believe exploiting GitHub repos for initial access is part of their playbook, but there have been plenty of examples in recent years of attackers gaining access to internal infrastructure via secrets exposed in GitHub (whether in code or Actions workflows). Just this year, attackers got into Salesloft's GitHub, pivoted to their AWS environment, and stole OAuth tokens that gave them access to hundreds of Salesforce customers.