I don't see why it couldn't allow unauthenticated http for branch creation. Github allows it by default, right? From security pov, fetching the patches over nostr would be nice. I can see the benefit of that.

You have to be logged into github to push to their servers which helps with spam prevention and malicious activity. And you can only push to repositories you have explicitly been given access to (you can fork repos that you have read access to). For me, contributions as patches over nostr would be the ideal flow but the event size limit makes that not always possible. Grasp enables the PR flow without relying on the git data being on only one server.