If you are running an org you should be putting all your private services behind netbird or tailscale at minimum. Zero public infra exposure beyond them.

The service isn't supposed to be private, some repos are intentionally public. And including all external collaborators in some VPN scheme is not possible at that scale.

Sorry, I assumed you were running a typical corp