That's a separate discussion from the previous one. My recommendation would be to avoid it, for several reasons.
If a package is on Github, that means it did not get reviewed. When submitting to CRAN or BioConductor (or if you work in rOpenSci and publish on r-universe), there are a number of automated checks and some manual ones, so presumably packages found there can't be totally broken. From GitHub, there is no such guarantee, it's totally possible that the author will put out a half-broken package and ignore all automated checks and warnings, breaking your package in the process.
In a more extreme case, the author of the GitHub package could even be malicious and change their code to leak passwords after you start depending on it (this can happen).
Another aspect is that some people may not be able to install from github, for example as a company security policy, or that some particular context does not support installing from github (here is a Python example). You can make an explicit choice that you don't care about these use cases, and people in such a scenario simply can't use your package, but it's not an obvious choice.
And of course, if you depend on a GitHub package, you can't submit to CRAN.
If you do want to go that way, for practical purpose you can use {devtools} and the Remotes field of DESCRIPTION, as described in this vignette.