Expiration is still a form of rotation. Also, GitHub doesn't provide never-expiring tokens, all of their tokens have expiration policies and need regular rotation. That doesn't mean that there aren't good reasons (such as in this case vulnerable applications) to manually rotate even before the expiration date.