I haven't seen anyone mention that Docker Hub's automatic build integration requires either "Owner"-level permissions on your organization or "Admin"-level permissions on the individual repository. Based on the GitHub-side audit log, Docker Hub seems to be using this access to add deploy keys to your repository, but this isn't mentioned in the documentation (which is why we had to go spelunking in the audit log), and if you try to take a least-privilege approach and grant only the read-only access that Docker Hub should require, your GitHub repository will simply not appear in the list of available repositories when you try to configure an automatic build.

Lots of people may have exposed credentials to Docker Hub that can do much more than disclose proprietary source code.

Signed commits would be useful, right? I don’t know much about GitHub permissions, but I’ve skimmed GitLab’s. Why would Docker hub have write access to the repo? Is there really no read only access for repos?

I think it's possible, but I'm not sure what DockerHub does. GitHubs OAuth tokens can't be restricted to be read-only or to specific repos (https://stackoverflow.com/questions/26372417/github-oauth2-t...) but I think Deploy Keys can.

They have a lot of scopes compared to GitLab (https://developer.github.com/apps/building-oauth-apps/unders...). I find it crazy that anyone would click authorize on a 3rd party app with the repo scope without having a way to (easily) identify unauthorized commits.

A lot of developers are in a hurry and interested mainly in getting their builds to work so they can move on to the thing they actually care about. They don't think about the potential consequences of the easiest thing they did to make it work.

This is how a sizable number of security incidents happen. The easiest thing to do is reckless, so people do it.