ISTM there’s a straightforward mitigation or two available to GitHub:
1. If a URL would be in the “[t]his commit does not belong to any branch of this repository, and may belong to a fork outside of the repository” and that URL uses a shortened commit hash, return 404 instead. Assuming no information leakage via timing, this would make semi-brute-force probing via short hashes much harder.
GitHub is clearly already doing the hard work for this.
2. A commit that was never public should not become public unless it is referenced in a public repository.
1. If a URL would be in the “[t]his commit does not belong to any branch of this repository, and may belong to a fork outside of the repository” and that URL uses a shortened commit hash, return 404 instead. Assuming no information leakage via timing, this would make semi-brute-force probing via short hashes much harder.
GitHub is clearly already doing the hard work for this.
2. A commit that was never public should not become public unless it is referenced in a public repository.
This would require storing more state.