Localisation exports from translatewiki.net are now using dedicated accounts on Wikimedia, GitHub and SourceForge using a private key.
For fully automated exports, and for improved security in general, we need a secure way to use this key.
Status right now is that the key is password protected (known to about 5 people) and stored on the translatewiki.net main server with Nikerabbit and Siebrand having backups of it.
One promising solution is https://blog.wikimedia.org/2017/03/22/keyholder/ where we do not need to give people direct access to the key, making it harder to steal and revoke access.
Besides that, we should review our SSH policy, which right now has root and password logins disabled. We should consider things like 2FA as well as establishing policies around periodic reviews who has access, key and passphrase locations.