apsa (or maybe just stupidity showcase): don't be lazy and leave the static ips from github pages on the a records of your deadname domain name if you end up wiping your website while still occupying the domain name, spammers will find a way to fuck your shit up
it's kind of fucked up that GitHub requires no verification whatsoever on the DNS side to serve content at a domain name that has the appropriate a records? like the "security" they have is hoping you register something on GitHub pages on your own domain before someone else does?
also, the hijacker was very silly and registered very identifiable emails on Google Search Console, a personal one containing what i assume is a full name or some shortening of it, and an institutional address containing a full student id. hopefully that gives me enough to have GitHub bar them from hijacking more domains