UPDATE: The accepted answer applies to all subsequent Xcode versions up to 16.2, at least.
I just upgraded to Xcode 10.2 from 10.1. I did my first git push in the new version. Xcode displayed message in a dialog.
The identity of a repository hosted on “git.example.com” has changed.
The fingerprint ‘AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDD’ for this repository has changed since it was trusted. You might be connecting to a repository that is pretending to be “git.example.com”, which could put your confidential information at risk. Would you like to connect to the repository anyway?
I killed Xcode 10.2. I started up Xcode 10.1 again. I did a git push operation, and it succeeded. This proves that the git repos host did not change fingerprints. It strongly hints that Xcode 10.2 determines ssh host fingerprints differently than 10.1.
My guess is that Xcode does not use ~/.ssh/known_hosts otherwise 10.2 would behave the same as 10.1.
I pressed "Trust" in the dialog and noted the time.
I saw no new entries in Keychain. I immediately went to Terminal and ran find . -mmin -3 in ~/Library/Developer/Xcode and saw no relevant files changed. File ~/.ssh/known_hosts was not updated.
So, where does Xcode 10.2 store its ssh known hosts info? Could I have somehow pointed Xcode 10.2 to the ssh known hosts fingerprints that 10.1 was using?
I don't known about Xcode 10, but for Xcode 12 it seems Xcode's list of trusted SSH hosts is in ~/Library/Preferences/com.apple.dt.Xcode.plist, in IDESourceControlKnownSSHHostsDefaultsKey.