Use the principle of least privilege
What
Access to repositories should be restricted to what is needed for development of features being contributed.
Why
Roles should be a way to limit access to least required access. This mitigates potential abuse of resources.
When
When you start getting external contributions
See also:
- Microsoft documentation on least privilege; not directly applicable but good introduction to the ideas
- Least privilege for secrets in GitHub Actions