Comment by fragmede

honey pot that shit. attackers, security companies, GitHub themselves, are all crawling GitHub for leaked credentials and will tell you that they've been leaked. GitHub very much knows what a GitHub API key looks like. So you stick a GitHub API key with the least useful permission you can think of into your secrets file. If that file ever gets uploaded to GitHub, they'll cancel the key and email you about it, so then you know the rest of the keys in that file have been leaked as well.