People with workflows like `git add .; git commit -m 'fix'` can push wondrous things to public repos.

Only if you're raw dogging git from your home directory...

You would have to have a git repo in .ssh or higher up the tree for that to work. Otherwise you’d get one of the “directory is not a repo” messages.

It isn't that uncommon to sync a home dir with git: https://askubuntu.com/questions/1316229/is-it-bad-practice-t...

I'd guess that most of us wouldn't do it by just "git init" in the home directory. There are many safer ways than that.

But we were all newbs once, and often even the newbs have access to various keys and credentials.

It was just an example. It used to be fairly common for people to sync some of their dotfiles via git, and from time to time someone would leak a directory that contained sensitive data without them realizing it. I'd guess things like tokens used by cli tools were more common than whole .ssh directories, but I'm sure both happened.

Not quite the same thing, but also a leak: https://blog.gitguardian.com/github-exposed-private-ssh-key/

I guess all these folks saying professionals would never make a mistake like this will also have insulting names for github engineers. :shrug