I’ll preface this with the acknowledgement that httponly is misunderstood by many, but it won’t change anything:
HttpOnly only prevents session theft as you cannot read the cookie, but you can still use it. you can still perform actions by sending AJAX requests with cookies attached.
In a subdomain takeover you receive cookies on all requests, you can view these irrespective of httponly unless you are limited to controlling html and js of the subdomain (which I think is true of GitHub static sites).
HttpOnly is largely a failed mitigation, modern SPAs require access to JWT tokens which compounds that; the solution is to focus on appropriate scoping (to prevent subdomain hijacks having such implications) and preventing XSS.
