[Xenoamorphous]

Not playing devil’s advocate but guess they at least have some confidence that no one checked out/pulled the repo while the key was there?

After all it’s them hosting and serving the requests for that (and every other) repo.

[diggan]

There is a literal stream of all public data on GitHub. I don't think they can 100% know if it was accessed or not.

[colonwqbang]

"We have no reason to believe" => We don't actually know

[execveat]

Charitable explanation is that they rotated they key without waiting for an analysis.