The answer is you should not allow LLMs access to untrusted input and sensitive data at the same time.
If Ford puts a button in their car which blows it up when you press it, removing the button fixes the issue. If your LLM implementation is fundamentally insecure, you'll have a giant gaping security hole until you remove your LLM implementation.
The alternative is arguing that having the LLM is worth routinely leaking all your code and secrets and occasionally giving complete strangers full access over your repos. Somehow, I think that's going to be a hard sell.
It can't leak a private repo if it can't open it to begin with.
https://github.github.com/gh-aw/reference/cross-repository/#...
It seems like the proper fix is for GitHub not to allow their agentic workflow to execute in a public repo context if it also has private repo access. Or, to use your phrasing, for GitHub to flag and disallow this easily-detectable and dangerous type of misconfiguration.
It’s like saying that an OS should enforce that home directories can only have 0600 permissions. Yes, it prevents accidentally configuring world readable on files, but there are legit reasons for wanting to share a file from your home dir.