Git is a great tool for version control in software development but automating commits or the modification of history causes problems for traceability, security, and usability.
Git lets developers work independently and combine their work quickly and efficiently whilst retaining change history. With the increased use of GitOps there are more and more developers using automation to run commands on git commit. This is a useful tool but can become problematic when the automation pushes changes back into git.
One of the main purposes of using Git is to keep track who made changes and when they occurred. This traceability is useful to improve communication within teams and to give context for code changes, as well as providing the ability to access previous versions of code.
When automating changes to a code base traceability is lost, because instead of seeing the user that made the last changes it shows a bot or shared credential. This leads to lost information about who made the change unless you proxy the user’s credentials, which isn’t advisable due to security concerns.
Git allows you to restrict access control per user, which is important when managing your businesses source code. The source code should be considered high security as it can represent your competitive advantage over other companies.
When you allow automation to modify code, anybody who can control this automation can avoid the security controls of Git. This is an additional risk and attack surface area that should be considered before implementation.
Merge conflicts in Git need to be resolved by humans as it is too complex to resolve them with automation. There are work arounds for resolving merge conflicts, but these can lead to lost code and broken builds.
Since automation has no ability to resolve merge commits it leads to the use of force pushing, which overwrites any other user’s changes. Frequent modification of code by automation can also cause problems as users will need to constantly pull the changes in order to avoid merge conflicts.
Running automation from Git is a great way to trigger pipelines but it is important that automation only has read access and doesn’t push changes back into the system. This is why Git is for humans and not for robots.
Follow me here for more content or contact me on: