[UseStrict]

Maybe I'm missing something, but since all GitHub events can be watched through the API, I don't think it particularly matters how long it was public. Anecdotal but I once accidentally pushed an AWS key (thankfully heavily locked down and not a root account) for all of 30 seconds and it was compromised anyways.

[Msurrow]

I agree. Even if its only public for one sec it should be considered compromised. However, everything is a risk management question, so knowing the amount of time it was exposed is helpful for other orgs to determine their response to this incident. Same if there was an accesslog.