Will reporting phishing emails cause problems for the victim?
If you report it, Google actually are pretty good at figuring out issues and if it is in their control, they can take some action, however what may happen is that the individual may get blocked from communicating...which helps solve the issue of phishing emails being sent. This can be sorted out though, so do not let it put you off reporting.
Conversely - if you do not report it, what will happen? The phishing will continue and some individuals may be scammed.
Best bet - talk to this person, they may be entirely unaware, so informing them can allow them to do something about it. If they don't take action, or the problem isn't at their machine/account etc then think about escalating.
My first step would be to check the mail headers and see if it is actually coming from a GMail account. There is a good chance that your friend's information was pulled off github and the phishing e-mails are being sent out without him being involved or compromised in any way. I get phishing e-mails from myself regularly (several times a month, sometimes even several times a week) because I have a publicly listed e-mail on several reasonably large websites.
It is trivial to make it look like an e-mail is from someone that it is not or even from a domain that it is not. This requires no participation on the server or user's part. E-mail is inherently insecure and while there are technologies that would prevent many of these problems, they are not widely adopted or implemented because it is a chicken and egg problem. Using the tech could prevent legitimate messages from getting through and in general, people get more upset when ham gets stopped than when spam (even malicious) gets through.
Your best bet is to report the e-mail to your friend (or whoever is being impersonated), your mail provider and if the mail actually did originate from a gmail account, then gmail. If you don't understand how to determine the sending server from your mail header, then you could send it to gmail and they could figure it out pretty easily too, even if there might not be anything they can do about it if there servers were not involved.
Generally the best thing to do in this case (as the one being impersonated) is to make a public service announcement to the list being effected to let them know about the phishing attempts.