Share Git Repository Access Safely (No Secrets in Repos)

Why repo access is high stakes

Repositories live for years and get cloned to laptops and CI systems. If secrets enter git history, they spread to backups and forks—hard to scrub later.

Invite-based access (never share your main login)

• Add collaborators by email/user and pick the least privilege (read, triage, write, maintain, admin).
• Require 2FA for all maintainers and admins.
• Use protected branches with required reviews and status checks for main/release branches.

No secrets in repos—ever

• .env and keys stay out of git. Delivery pattern: How to Share API Keys and .env Files with Developers (Safely).
• One-time, expiring links for any credentials; send the access code by a different channel. Basics: The Safe Way to Share Passwords in 2025 (No Email).
• Scan history for secrets and rotate if you find any. Incident plan: The Simple Incident Playbook for Leaked Passwords.

Offboarding without drama

• Remove access for departing collaborators.
• Rotate tokens/keys they touched and sweep threads for exposed secrets: Audit Your Old Messages (90-Minute Sweep).

Useful external references

• GitHub: Two-factor authentication 🔗
• GitHub: Protected branches 🔗
• GitLab: User permissions 🔗

Related reading

Share API Keys and .env Files (Safely) · Verify Links Like a Pro · Secret-Sharing Policy

Bottom line

Invite people, enforce 2FA, protect main branches, and keep secrets out of git. Rotate quickly if anything ever slips.

Secure One-Time Messages - Send confidential messages that self-destruct after being read once. Your privacy is our priority. →.