Limited subaccounts for accessing repos from untrusted environments

Problem to solve

Some computers may be infected by malware kr otherwise compromised. So we need a way to limit damage.

Proposal

The solution is subaccounts. Subaccount is a set of credentials for signing into an account giving very limited access to its contents.

The workflow is following.

1 A user goes into settings and creates a subbaccount and sets credentials and permissions for it. By default it gives no access at all. Access to repos is set up in these repos settings.

2 All the actions made by a subaccount are not applied untill moderated and approved by an account. I mean, for example, if a subaccount pushes some commits, in the account there should be a notification. After clicking on it the diff is shown, I guess here the interface for merge requests can be utilised.

In the threat model that an adversary needs main account credentials in order to do actions with this account, that he cannot get any credentials from trusted computers, only from the ones he have compromised, and that account owner will notice the changes he have not made, we get that:

1 an adversary is not getting access credentials for the account 2 an adversary cannot push into all the repos and do what he wants, but he can only act within subaccount's permissions 3 an adversary cannot plant a backdoor because all the actions are reviewed by the account, and that people who have done the things remember the things they have done, so they likely gonna block the things not done by them.