Workers should be able to access private/authenticated repositories

An external worker task (such as sbuild or autopkgtest) may need to access a private repository. When doing so, it should not expose any credentials used for accessing the repository in the generated artifacts (such as build logs).

This may come in two flavors.

The target repository may be hosted on the Debusine instance itself from a private workspace. In this case, the credentials are somewhat implied.
The target repository may be external to Debusine and credentials may be provided by the user configuring it. An example is Freexian's PHPLTS repository, which uses basic authentication for controlling access.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information