Ask HN: Using Personal GitHub for Work?

6 points by shay_ker ↗ HN
I'm worried if I use my personal github for work that it could cause my employer (FAANG) to have access to all of my personal things. This could involve open source work as well as private work repos.

Is it possible to insulate myself from this risk by:

- only using my work laptop for work things

- work-only ssh & gpg keys that are only accessed on my work laptop

Or is the only hope to create a separate Github accounts?

16 comments

[ 2.0 ms ] story [ 51.2 ms ] thread
They can not access your private repositories if you are just in the organization.
Right, I’m wondering from a legal perspective if they do
if you're worried about legal, go for separated accounts.
You're asking about a technology solution to a legal problem. Depending on the agreement between you and your employer, even a separate account may not be sufficient.

Understand that first, then determine how to best implement it.

AFAIK in California, personal work that’s done on personal devices outside of work hours aren’t accessible by your employer from a legal perspective.

Just not sure if that separation will hold up if you have a single GitHub account.

Right so then the question is a legal one about what counts as a "personal device" rather than a technical one about github auth or ssh keys or whatever. I think this reinforces the point of the person you were replying to.
Yep, the question is about what’s legally defensible!
The general consensus whenever this is asked is: use work resources for work, and personal resources for personal.

In other words, don't cross the streams.

I wonder how many of these same people advocate for working from home. Is your bedroom a work resource?
Best to have a separation of church and state (so to speak). Use your work devices for work, and your personal devices for personal things. It might sound a bit cumbersome, but it can prevent potential problems.

A few years ago, a colleague accidentally pushed a bunch of AWS keys (or something like that) to his person GitHub account when he should have pushed it to his company one. His personal account was public, someone found the keys, and started spinning up AWS instances by the dozen using those keys.