if you are on github.com , you can use Fine tune PAT token to limit access to minimum. Although the token will be tight to an account, it's quite easy to change to another one from another account.
He's asking "what git credentials make sense to use for agents" - regardless of autoscaling or not. I had the same question earlier.
tldr: it depends on your security policies.
@<1719524650926477312:profile|EncouragingFish95> - if you have the ability to create a "service account" in your git provider, perhaps at the org-level, I would do that.
My org's cloud git provider does not enable this functionality, and so we have agreed that it is "acceptable" to have the agent's git credentials basically be tied to a token for my account (since I'm effectively administrating our server). Since it's read-only (clearml doesnt push commits), it didn't feel particularly important to have identities correctly tied to the agents.
If it's possible to create a user account that multiple trusted people on your team can administrator, then I would do that. read-only auth keys at the repo-level would work too.
(always consider the risk of "how will my team handle this if I am to suddenly leave" and "to what repos does this token grant access")
Then you can define the git credentials that can clone these repositories