Apart from the obvious that the employer absolutely has no right to demand a password, Code written for the company does not belong in a private repository.
Most contracts state that everything created during working hours belongs to the company.
This means that he is in quiet the trouble if he writes on code for other companies when he is supposed to work for his employer.
In this case they have the right to demand access(not by demanding the password though)
An alternative would be to provide access using the means provided by GitHub.
The "boohoo my company is evil" narrative is understandable.
But lets not forget that this situation would not exist , if all was handled correctly by the employee.
Dude, why's a self-respecting, upstanding person like you working for such scumbags? Tell them to bring all of the managers. Advise them all that the policy is unacceptable and they're not getting any of yo' passwords.
A solution: a GitHub account for company code, with your old code forked.
> the manager in question demands passwords from everyone for every bit of software and every single device their subordinates use. That data is kept on a spreadsheet right on their desktop
Time to name and fucking shame, shit like this cannot be allowed to continue.