mTLS aka TLS client certs seems like the way to go.
How is a client cert not another glorified static password? It would have been stolen from repo secrets the same way.
alt Hacker News
How is a client cert not another glorified static password? It would have been stolen from repo secrets the same way.