How is a client cert not another glorified static password? It would have been stolen from repo secrets the same way.