For example using private bare Git repositories hosted internally at the company with mandatory OpenSSH U2F authentication (requiring a physical key like a Yubikey) would go a long way and requires two minutes to setup. Or a VPN. Pick your poison.
But then you lose convenience.
Slacked picked convenience and it led to the headline: "Slack's private GitHub code repositories stolen over holidays" and the top voted HN comment so far is: "Slack is selectively and deliberately limiting public access (discoverability) to the security breach announcements.".
The question is: was convenience worth it?
There are other tools. There are other ways to host. There are other ways to do CI/CD.
If CEOs pressure me to neglect security, I always tell them "Do you want to be on the top of the German news magazine Der Spiegel with a bad headline?".
But then you lose convenience.
Slacked picked convenience and it led to the headline: "Slack's private GitHub code repositories stolen over holidays" and the top voted HN comment so far is: "Slack is selectively and deliberately limiting public access (discoverability) to the security breach announcements.".
The question is: was convenience worth it?
There are other tools. There are other ways to host. There are other ways to do CI/CD.
But it's less convenient.
It's a tradeoff.