Sure, but considering GitHub doesn't have advertising[1], and they're not sending it to a third party (like Google, who does), it's very hard to imagine any use for first party "tracking" that might harm you.

Presumably the most they're using this for is recommending potentially interesting repos to you.

[1] Potential concern would be if "Microsoft" was considered "their own", since Bing does have an ad network. But my guess is between still having separate accounts and being treated as separate companies, that is not the case here... yet.

Remember that they have LinkedIn as well, and quite possibly could put together a fascinating view of software job profiles, candidates, and repo language/activity to gain value entirely within their own organization. Something like LinkedIn recruitment recommendations improved with GitHub contribution activity might be a fascinating recruitment product: ads are not the only way to gain value.

Yeah, I think my comment is still applicable as is: The risk here is entirely dependent on whether or not "first party" means "GitHub" or means "Microsoft and it's various properties".

My guess is that, at least, for now, it refers to GitHub, as you agree to GitHub's Terms of Service, which doesn't actually mention Microsoft as a party.

I get ads on GH homepage for open positions. They seem targeted to me or maybe I just notice the relevant ones.

Wait, Google isn't sharing your analytics data with any third parties.

Google usually is the third party, when people are talking about analytics. GitHub removed third party analytics, like Google.

And while Google keeps it's data horde on you to itself, it definitely sells access to you in numerous harmful ways.

What matters is the purposes that the cookies are used for, not how many there are or which service set it.

A session cookie that is also used for tracking would qualify as both a functional and a tracking cookie, and thus generally be illegal (since you can't consent to the tracking if it's under the threat of being unable to use the service).

They appear to be using a self-hosted analytics solution. Every page makes a request to collector.githubapp.com.

I presume this is indeed what they're doing given the wording of the post:

"(And of course GitHub still does not use any cookies to display ads, or track you across other sites.)"

That exactly leaves out "track you on our own site". But honestly, I have absolutely zero issue with them tracking my behavior on their own site. I know how valuable it is to be able to learn/see what users are doing, and they should absolutely be able to do that.

Tracking individual behaviour on their own site without notification is still illegal under the GDPR, so no, they should not absolutely be able to do that.

The GDPR isn't about "3rd party analytics". It's about collection of personal data as qualified by the purpose of that collection, regardless of who collects it.