[awill]

You're absolutely right. It's absurd to frame it this way.

Do they expect people to think "Wow, Github leaked a key, but even without knowing if anyone snagged it, they're still replacing it. Wow, they go above and beyond."

It's so ridiculous.

[Xenoamorphous]

Not playing devil’s advocate but guess they at least have some confidence that no one checked out/pulled the repo while the key was there?

After all it’s them hosting and serving the requests for that (and every other) repo.

[diggan]

There is a literal stream of all public data on GitHub. I don't think they can 100% know if it was accessed or not.

[colonwqbang]

"We have no reason to believe" => We don't actually know

[execveat]

Charitable explanation is that they rotated they key without waiting for an analysis.

[sebzim4500]

To be fair, there are somehow people in this post who seem to be arguing that GH should not rotate the key.