Unless you’re absolutely sure the same email was send in bulk to other email addresses, I’m not sure this qualifies as SPAM, rather unsolicited email — but not being an advertisement email, it’s also hard to argue it’s unsolicited, since it’s more the case of someone contacting you for whatever reason.
Please don’t publish third parties email addresses in public like this, if you need to report that email address to GitHub do so via private email to customers support instead.
or maybe your browser leaked it while navigating the Internet. There are many possibilities to why someone might have got hold of your email address, no matter how hard you strive to keep it private.
Also, spammers often simply try writing to every possible user name for known email domains, and check whether they get an error response from the server, if not they might have caught an existing user; it’s a kind of “brute force” approach to accounts discovering, and apparently it pays off for spammers. They usually don’t target completely random usernames, but mix candidate words from dictionaries (e.g. names) with date births, etc., to increase the chances of their email finding a real users.
So, if it’s a spammer it might have just guessed your super secret email via trial and error (using automated tools, obviously).