| ▲ | jaggederest 10 hours ago | |
You could go a step further in paranoia and provide essentially just a clean base image and require the agent to do everything else using public internet - pull your open source repo using an anonymous clone, make changes, push it back up as an unprivileged account PR. For a private repo you would need slightly more permissions, probably a read-only SSH key, but a similar process. | ||