[tobz]

Yeah, putting the keys on Github seems pointless and contrived: there's no remediation to putting a known-bad key out in the open. What are you going to do: block their IP? Oh boy.

I see value in the other examples, though, because they are dead simple tripwires, and, unless AWS is scanning your instances, they should never see this and it shouldn't be a problem.

[jenandre]

The idea is to use private repos on Github, not public ones, which just tell you that yes, someone can read a public repo and misuse a key. Not that your private repos have potentialyl been compromised.