[nrmitchi]

>Each of these tokens are valid for up to 1 hour.

> GitHub quickly fixed the issue and established that this bug was recently introduced, existing for approximately 5 days between 2022-02-25 18:28 UTC and 2022-03-02 20:47 UTC.

It doesn't sound like there is anything you can or need to do with respect to these tokens (whether they were used to take action with elevated permissions is a different thing, but it doesn't sound like that was the case either)

[dundarious]

It seems like the appropriate thing to do would be to inform anyone who had tokens created during the affected time period, so they could assess if any of the permissions led to undesired changes. Instead of GitHub saying “we don’t have hard proof of anything bad happening” and waiting 3 months, just give the customer the time of relevant token creations.

[smarx007]

The email listed the apps that issued tokens in the specified time window. If your notification email listed 0 apps, it means no apps created tokens during the time window in question (I got 1 app listed). I only missed that those tokens had 1h lifetime.

[dundarious]

Listing token times instead of just apps, and doing so nearer the actual time instead of 3 months later, are the key parts of my suggestion.