Repeated GitHub Actions token leaks in release artifacts

[Sofahamster]

Select Topic Area

General

Body

I'm trying to understand what GitHub's position is on secrets being repeatedly published inside GitHub Release assets, and what escalation path exists when a project does not remediate.

I've encountered a well-known open-source library that has now published multiple releases where the release archive contains the entire workspace, including .git/ and .github/. As a result, a ghs_* GitHub Actions token ended up embedded in the release ZIP/7z assets. The maintainers re-released once to fix it, but the very next release repeated the same mistake (and even "double-packed" the workspace by archiving the zip archive in a 7z archive).

I'm not going to test what the token can do, and I am not sharing any secret values here. My goal is to prevent further leakage and understand whether GitHub can apply any platform-side controls.

Is there a recommended GitHub reporting route for secrets exposed in Release assets (as opposed to secrets committed to the repository content)?

Does GitHub Secret Scanning or automated revocation cover archives uploaded to Releases, or only repository contents?

If a project repeatedly republishes leaked tokens, is there any mechanism for GitHub to intervene (revocation, warning banners, temporary disabling of Releases, etc.)?