@neauoire @boud @ratfactor 2FA makes GitHub (+ phone operators) a single point of trust; only GitHub will be able to (somewhat) authenticate changes made to repos, out-of-band. That’s not improving supply chain security.
Allowing code authentication by anyone (including developers and the “consumers” GitHub cares about) requires something similar to what we did for Guix: https://doi.org/10.22152/programming-journal.org/2023/7/1