How to secure the repository accounts used in the CI/CD pipeline or Automation?

could anyone share some guidelines around this problem.
As the repository is accessible through the internet outside the company ,even for private repositories , an employee leaving organization can access the images (read/write) provided if he knows the user accounts used in the automation scripts. Assume this employee is a DevOps or a Developer its too easy to record the username/passwords before he leaves the company. There is a concept of Access Token but then these are still tied to the user-account. Two factor authentication can be enabled for human based login but not for automation jobs (e.g Jenkins/scripts) .
Thanks in advance.