> Currently, I have my ssh key on the laptop ...

My SSH keys aren't on my computer: they're safely hidden on a hardware token, behind a secure element, like a Yubikey.

Devices like the Yubikey do precisely exist because computers aren't things to be trusted. So their reason for being is to offer a minimal attack surface.

When I git fetch/pull/push I just do it. But it requires me to physically use my Yubikey. It's not 100% foolproof but it's way better than having SSH keys only protected by a password.

So Git over SSH, on a Git/SSH server that supports Yubikeys.