Wait, what?!
Code deployed from GitHub to servers commonly uses SSH with a private key stored online in GitHub? Isn’t that super insecure for leaks? And also GitHub can just turbo-rug everyone?
#asknostr
Discussion
Only the public key is stored on GitHub servers. You always keep your private key locally. To protect your account in the event that your local machine is compromised, you can opt to require a passphrase for every authentication. Or for convenience, you can set your ssh agent to retain your passphrase for easy authentication.
Some people actually do store private keys on GitHub. Even if that key is configurable, their actual key is often used as a default to make testing faster.
Hmmm.... That doesn't sound like a wise practice. I'd always want to keep my private key secured on my local machine. I think I'd just set my ssh agent to submit the key passphrase automatically.
Standalone web apps that aren't intended to be shared wouldn't normally need to keep keys from being hard coded. That constitutes a lot of projects on GitHub.