When a build server injects a Github access token into a container to run a package manager, this should be deleted straight after it is used. Version control access tokens are often present on production infrastructure, allowing an attacker to clone all repositories in the Github org.