I got into the habit of signing my GitHub commits. It’s awesome - anyone that looks at my repositories is able to tell that it really came from my account (and not someone just using my email). As an added bonus, I get a fancy badge associated with my commits, which makes me feel special (since I am not really “verified” anywhere else).
Back in 2012, I had experienced a situation where one of my Git repositories (I will not mention any specific providers here) suddenly disappeared overnight, with no recovery options. And while I was able to restore some of the code from local backups, it was an all-around bad position to be in. You know how you’re always told to not put all the eggs in one basket? Who knew that it applies to code as well!
When building tools that authenticate against other APIs, more often than not I need to manage private keys and secrets. The challenge is that sometimes it’s very easy to forget the fact that the key is sitting somewhere in a configuration file, and it will be accidentally checked in to the repository. With the proliferation of tools like trufflehog, that’s generally not a position you want to be in. A lot of services are being proactive about it, and when a leaked key is detected, it will be automatically revoked (notice how it someone attempted to use it within minutes of the leak).