This will require a working secrets system, so that we can distributed a private key to tasks that need to check out private repositories.
The next step here is to add an endpoint to taskcluster github that allows repository owners to set secrets for their repository. Then tc-gh can start jobs along with a secrets proxy that has read only credentials for the secrets. see: http://docs.taskcluster.net/services/secrets/
I'd be willing to mentor this bug.
This should no longer be an issue. We now have an awesome github integration that repos can install to get access to our tc-gh scheduling and with a little setup, secrets can be added for a given repo that can be used in tasks. Our open cloud configuration setup for windows workers does just this....new commits will trigger tasks that pull some secrets from our secrets store to be able to publish new AMIs. That said, one thing to note is that while you are technically able to retrieve secrets within these tasks, there is the potential of leaking them in the logs. only docker-worker allows one to specify an alternative log location as far as I'm aware that make those logs private.