I learned about it years ago when I accidentally pushed secrets to the repo. When after rebasing and force pushing to the branch I was still able to access that commit, we decided to stop using GitHub.
Hopefully you have since learned to read the documentation of the tools you use, or at least enough of it to understand the basic data model you are working with. Rebasing won't even (immediately) remove the commits from your local repo. And force pushing isn't some magic operation either.
Further, even if you had managed to delete the secrets from the repo you have to assume that others already copied them and rotat your keys anwyay.
Yes, the credentials were invalidated promptly, before trying to remove them from GitHub. That said, we were using different version control system and GitHub was new to us. This was many years ago.
