| ▲ | jallmann 2 hours ago | |
> want without a PR process that requires hardware authentication or proof of presence Just curious, what do you use for this? I built OTP Guard [1] a few years ago for exactly this problem, although I haven't seen any alternatives in the space. Does GitHub have something built-in now? The original framing was more "local malware compromising your GitHub account" ... it never occurred to me that the malware could be a LLM. I really should update the page. | ||
| ▲ | jmole an hour ago | parent [-] | |
My simple process is: 0) agent gets its own separate git user and ssh key, separate from mine 1) branch protection rules on main, only I can approve merges into main 2) any other ssh key uses (interactive login, direct git access, etc.) are ed25519-sk keys and require a touch on yubikey. TBH, the biggest hole is that it can be unclear exactly what process is requesting a touch on the yubikey. Apple has a head start here because they can lock down the TouchID UX relatively well, but unfortunately they don’t seem to care about building a polished developer experience for 2FA on sensitive tasks. They are probably waiting for someone else to build the right solution and then copy/steal it. | ||