I always (very naively, I fully get it) wonder if someone at GitHub could take a minute and check the logs (if there are any at this level) from a week ago or so and scan them for patterns? The code seems to grab a few files off of GitHub, use Github actions, etc. -- perhaps there's a pattern in there that shows the attacker experimenting and preparing for this? I assume most people at this level have VPNs and so forth, but I'd never underestimate the amount of bad luck even those folks can have. Would be interesting, I know I'd have a look, if those logs existed.

I have first hand knowledge that they do, or at least that the data exists and can be queried in that way, but it’s a game of cat and mouse.

That's usually what those security companies do, they monitor all those repositories and look for patterns, then investigate anything suspicious.