I look at GitHub profiles to help filter / disqualify candidates. Just last weekend, I had a marketing candidate who had stolen three Wordpress projects from their current employer and post them as public repos on their personal GitHub account. In addition to the flagrant intellectual property theft, the repos contained the wp-config.php file with exposed database “root” credentials to live, client sites.
Perhaps I misunderstood. But isn't Github help you filter out such candidates, is it? They have some big projects, but their contribution calandar should be almost empty, cuz all the code is pushed into Github at once.
No one should look at the contribution calendar and hire based on it without looking more in depth. To answer your question it's based on commit time, but because of that you have things like: https://github.com/gelstudios/gitfiti