alt Hacker NewsYou could go a step further in paranoia and provide essentially just a clean base image and require the agent to do everything else using public internet - pull your open source repo using an anonymous clone, make changes, push it back up as an unprivileged account PR.
For a private repo you would need slightly more permissions, probably a read-only SSH key, but a similar process.