One issue with infrastructure sorts of repositories is what to do with
sensitive data. Keys, tokens and other secrets shouldn’t be committed
to git repos, but they have to go somewhere.
In some cases you can put them in your CI/CD system and import them
as variables. But that gets complicated quickly.
One way to address it is to use git crypt. It’s not a standard
git extension, but it’s been around for a fair bit of time. For people
you can encrypt the
git crypt key with gpg keys. So different people
can unlock and lock their repos. And on the CI/CD side you can get
the key and send it in as a variable (you’ll need to encode it with
something like base64).
It’s not perfect - some sort of secret storing service would likely be
better - but it does secure the data a bit and isn’t all that hard to do.
Though people really do resist using gpg/pgp.