Solved! Solved! Go to Solution.
@alukachin general, you should not embed the client secret in an Authorization code flow in a client facing web app, because someone could use those the combination of ID and secret to impersonate your app. You should either set up a proxy server to handle the Authorization code flow or use another type of flow such as PKCE (but I don't think that's supported by the Github API).
So, it seems like the primary risk is that if someone could easily get your Client Secret (i.e. read it in your front-end application's source code) and then could somehow intercept the Authorization Code (e.g. look through a browser's history for redirect URLs, such as when Github redirects back to "http://...redirect_uri.../?code=abc123"), then that person would be able to easily generate an auth token for that user.
So in closing, it is not okay to embed your client_secret in a frontend application.