Use SSH keys or fine-grained personal access tokens instead of passwords
Enable two-factor authentication on the GitHub account
Use a dedicated Linux user account for GitHub work
Keep the Linux system fully updated with security patches
Enable and configure a firewall
Use full-disk encryption on the Linux machine
Set strong file permissions on SSH keys and Git credentials
Protect private keys with a passphrase
Store secrets in a secure secrets manager, not in code or shell history
Use git-crypt, SOPS, or similar tools for sensitive repository data
Sign commits and tags with GPG or SSH signing
Review and restrict repository and organization access permissions
Use branch protection rules on important branches
Require pull requests and code reviews before merging
Require status checks and CI validation before merging
Disable force pushes on protected branches
Restrict who can create releases, tags, and deploy keys
Remove unused collaborators, deploy keys, and tokens
Rotate credentials regularly
Audit GitHub security logs and access history
Enable GitHub security alerts and Dependabot alerts
Use secret scanning and push protection
Pin and verify third-party actions in GitHub Actions
Limit GitHub Actions permissions to least privilege
Use self-hosted runners only with strict isolation and hardening
Avoid running GitHub Actions with overly broad repository secrets
Scan repositories for malware, secrets, and vulnerable dependencies
Use least-privilege sudo access on the Linux system
Disable unnecessary services and daemons
Harden SSH by disabling password login and root login
Use fail2ban or similar brute-force protection
Back up repositories and critical configuration securely
Monitor for suspicious logins, token use, and repository changes
Lock screen and log out when not in use
Use separate accounts for personal and administrative tasks
Verify repository ownership and organization settings regularly