Grafana says stolen GitHub token allowed attackers to download its codebase

GH provides an IP allow list and corp proxy capability to enterprise users. Unless the attacker pwned the entire corp network which is worse than leaking a token, these types of issues can mitigated. Tokens are useless if they don't originate from a specific IP space or contain the proxy header, but you have to set them up.