Ah - Actually reading the article reveals why this is actually an issue:

What’s more, Ayrey explained, you don’t even need the full identifying hash to access the commit. “If you know the first four characters of the identifier, GitHub will almost auto-complete the rest of the identifier for you,” he said, noting that with just sixty-five thousand possible combinations for those characters, that’s a small enough number to test all the possibilities.

So enumerating all the orphan commits wouldn’t be that hard.

In any case if a secret has been publicly disclosed, you should always assume it’s still out there. For sure, rotate your keys.