[7znwjshsus]

That's not the risk. The risk is that Github has lackluster permissions and audit trailing and an employee could leak and sell keys. Or that they log keys and someone hacks their logs.

Rotating the secret is 100% the correct thing to do in this case.

[prepend]

I’m not that worried about this. I mean, Microsoft runs azure and they have security protocols, that you can audit and show to your auditors, that reduce the risk of sysadmins snooping on vms, blob storage and anything else they could scan for keys.

I think the risk of a GitHub employee introducing malicious code to scan memory and dump any tokens found for exhilaration is lower than the risk of my own employee or myself doing that.

Rotating the secret seems like a waste of resources in this situation.