“Oops, I pushed a commit with something sensitive to a public GitHub project”

As soon as you push something sensitive to a public GitHub project, you need to immediately assume that it has been noticed and that someone is on their way to try and exploit you. There's a very high chance that it's the case, especially with API keys for services like MailGun, etc, which can be used by spammers.

Attackers are using the Github firehose to look for credentials. You need to immediately revoke them.

You need to come up with a way to prevent this, rather than blame the person who did this. Fat fingers happen, make it so that it doesn't matter.