So, to be clear. I need to contact Github directly to see if my source has been downloaded using compromised deploy keys?
I would. Although you can see some of that info here: https://github.com/settings/security
Edit: There are also logs for your organization in https://github.com/organizations//setting...