> How do you folks deal with these massively increased threats to self-hosted open source apps?

I throw everything behind Cloudflare ZeroTrust SSO or whatever it’s called with a whitelist of Github accounts, and Cloudflare Tunnel to network the containers/VMs without exposing any ports to the outside (except SSH), enforced by both the cloud firewall and iptables/ifw.