I was about to say "who in their right mind stores PW info in github?" before I realized I've worked several projects that do just that. Crazy decisions, but at least as a small mitigation, all that PW data needs access to a VPC to be useful, and that access isn't part of GitHub. Still not good practice by any means.
Having come up working on classified systems, it pains me greatly to see such lax security.
Plenty of people already fell for the "mirror your dot-files to Github" fad, which dumped vast quantities of exploitable data into public repos. Amazon somewhat mitigated the leaked AWS keys, but who knows how many other passwords, etc. went unfixed?
Instead of risking their data in the motherlode of hacks occurring against Github they setup on-premise Github/Gitlab/Bitbucket/etc. then let the servers go unpatched, stay several versions behind, don't bother setting up authentication roles properly and give people more access than intended.
There are plenty of places doing on-premise right, but I definitely trust Github over the average undermaintained on-premise installation.