Given that bcrypt generates a random salt per password and that the Github database wasn't compromised, how was a "remote" brute force attack possible and how long* was that process?
Two different attacks are being confused here. Brute forcing password hashes means the attacker has got ahold of the database table containing the password hashes and if they are properly salted and hashed, then it is very time-consuming to brute force.
In this case, github was attacked by guessing passwords at the login page so it doesn't matter how the passwords are salted or hashed or anything. It just matters if the user in question used an easy password. Github says "we aggressively rate-limit login attempts" which means it locks an account out after x tries for a certain amount of time. The attacker had resources (40,000 unique IPs to guess from) many accounts to choose from, and a long period of time so they could lazily keep guessing and waiting for the lockout to expire. Even with all those resources, their bot can't guess fast enough to break into accounts with anything but dead simple passwords.
It is really great that github posts a security history at https://github.com/settings/security for your account to see account activity (failed logins, logins, etc.)