This is definitely a security concern, because every resource out there suggests that force pushing a branch will effectively replace the existing branch’s commits, making them inaccessible.

However, I suspect that GitHub, if asked, will claim this is working as designed, because there are legitimate use cases to hang on to dangling commits. One that comes to mind is when you rebase a PR and force push, you can still see the old commits, which are no longer part of the current branch. This is helpful when reviewing diffs between rebases.

I guess this means you just need to be extremely careful with what you commit to GitHub. This is one reason why the first thing I do in a new repo is to setup proper gitignore rules, to ensure any sensitive files are ignored from the get-go.

I will admit though, I had the same incorrect assumption that force pushing would save the day if necessary, provided no one knew the hash of a commit containing sensitive data. The event API is an exposure avenue I hadn’t considered. Perhaps a solution would be to not include events from when a repo was private, if it is now public? Dunno.