Many administrators would love to restrict cloning and pushing to GitHub repos to certain IPs and auto-expiring keys. GitHub provides that functionality out of the box, but it is quite complicated to setup and maintain:

If we had a way to automate all steps by just creating an issue - the ssh certificate authority feature would have a much higher chance to be used.

1. Configure your org to use a ssh certificate authority

2. Create a copy of this repository template in that organization

3. Set your CA private key as SSH_CERTIFICATEsecret

4. Create an issue with the Sign ssh key issue template which will trigger the issue ops sign ssh key workflow

5. Profit

In a first iteration, we experimented with generating ssh keys from scratch and send them encrypted to the user. We abandoned this idea for signing already uploaded ssh keys. A leftover from our experiments is an IssueOps encryption workflow that can be triggered by using the Encrypt and share content issue template and encrypts any content in the issue description with the public ssh keys of the specified recipient (with a comment how to decrypt):

For encryption/decryption, the portable, lightweight encryption tool age is used, which could either be used directly from this repo template (Windows, Linux, Mac) or build/installed from scratch.