When I did a large organization rename (GitHub helped us reclaim a name from a long-since disused account), we were extremely cautious because of this exact problem. Our GitHub organization was named XYZ, being renamed to ABC. We had GitHub rename a separate user, DEF, to ABC. We then picked a low risk time and had browser windows open when we initiated the swap of our new shiny ABC to ABC-old to immediately grab the name and then immediately grab the old name on a new account.
uh, did you read what the OP wrote? he said a long since disused account. i.e. how long a grace period do you desire they have?
github's general policy is that if an account has been dormant for a year (which might mean not just means commits, but also fetches from it) its can be recycled. This is because they dont want to enable username squatting.
How does this work with third party login? For instance I can use my github accout to log in to gitlab. Seems like a security risk for even dormant accounts.
I was not clear, github works as an identity provider. I am not talking about api access to github, I am talking about using github to log into other services.