ADS-2026-002

Git & Source Control for Infrastructure Engineers

You already think in pipelines, approvals, and rollbacks. This article maps Git concepts directly to your infrastructure world — repos, pull requests, CI/CD, and how code gets from a developer's laptop to a production web server.

Author

CFTV Infrastructure Team

Audience

Infra / DevOps Engineers

Created

May 2026

Last Updated

May 2026

Version

1.0

What Is a Git Repository?

A Git repository (repo) is a version-controlled folder that contains all the source code, configuration, and history for a project. Every change ever made is recorded — who made it, when, and why. Nothing is lost, and anything can be rolled back.

Think of it the same way you think about a Cloud Template or an IaC definition in Aria Assembler. The repo is the source of truth. Nobody edits a running server directly — just like nobody should bypass the repo and hand-edit code on a live web server. The repo drives everything.

ℹ

Key ConceptGit tracks the full history of every file. You can diff any two points in time, revert a single file, or roll back the entire project to any previous state — similar to snapshotting a VM, but at the code level.

The three most common Git hosting platforms are GitHub, GitLab, and Azure DevOps (Repos). All three provide the same core Git functionality plus web-based UI, access controls, and CI/CD pipeline integrations.

How Many Repos Does a Company Have?

This depends heavily on the company's architecture philosophy. There are two dominant strategies:

Monorepo

One large repository holds all code for all teams and services. Companies like Google and Meta operate this way. The advantage is easy code sharing and atomic changes across services. The trade-off is significant complexity at scale — specialized tooling is required to manage build times and access controls inside a single massive repo.

Polyrepo

One repository per service, product, or team — the most common approach. A mid-size software company might have 20 to 200 repos. A large enterprise like Microsoft has tens of thousands. Each repo is independently deployable, has its own pipeline, and is owned by a specific team.

✓

For Most CompaniesPolyrepo is the default. Small-to-mid SaaS companies typically land in the 5–20 repo range. Each repo maps cleanly to a service, product area, or concern.

What Would a Typical Company's Repos Look Like?

For a documentation-focused software company, a reasonable polyrepo layout might look like this:

Repository	Purpose	Who Owns It
`vrodocs-frontend`	Website UI — React, Next.js, or static site	Web / Frontend team
`vrodocs-api`	Backend API and business logic	Backend / Platform team
`vrodocs-docs-content`	Raw Markdown / MDX content files for articles	Content / Docs team
`vrodocs-infra`	Terraform or Bicep IaC — cloud infrastructure definitions	Infrastructure team
`vrodocs-pipelines`	Shared CI/CD pipeline templates reused across repos	Platform / DevOps team
`vrodocs-auth`	Authentication and identity service (if decoupled)	Security / Platform team

ℹ

Infrastructure Engineers Take NoteThe vrodocs-infra repo is your domain. IaC code for cloud resources, network configs, and VM definitions all live here — version controlled the same as application code. Changes to infrastructure go through a PR just like feature code does.

How Code Gets to a Web Server

This is the question most infrastructure engineers ask first: "Okay, the code is in a repo — but how does it actually get onto a server?" The answer is a CI/CD pipeline.

CI/CD stands for Continuous Integration / Continuous Delivery. A pipeline is an automated workflow that triggers when code is merged and handles building, testing, and deploying it — with no one manually copying files to a server.

Code-to-Production Flow

Developer Branch → Pull Request Opened → Peer Review + Approval

↓

Merge to main → CI Pipeline Triggers → Build + Test

↓

CD Pipeline Triggers → Deploy to Production

Common Deployment Targets

Depending on the architecture, the pipeline pushes the build to one of these destinations:

Static CDN — Files synced to Cloudflare, Azure Static Web Apps, or AWS CloudFront. No web server to manage. Most common for documentation and marketing sites.
Container Registry → Kubernetes — Pipeline builds a Docker image, pushes it to a registry, and applies updated manifests to a Kubernetes cluster. New pods spin up, old ones terminate.
VM / Web Server via SSH or agent — Pipeline SSHs into a server and copies the build artifact, or a deployment agent running on the server pulls from the registry. Used in older or on-prem architectures.
Serverless / PaaS — Pipeline deploys a function or app package directly to Azure App Service, AWS Lambda, or similar. No server management at all.

⚠

No Manual Server EditsIn a mature engineering shop, nobody SSH's into a production web server and edits files. The pipeline is the only thing that touches production. This is the same discipline as not modifying a production VM outside of your deployment workflow.

What Is a Pull Request?

A Pull Request (PR) is a formal request to merge code from one branch into another, with a built-in review, discussion, and approval process before anything actually changes in the target branch.

Developers work on isolated branches so their in-progress work never touches main until it has been reviewed and approved. A PR is the gate between a developer's idea and code running in production.

Branch & Merge Model

        main branch      ──────────────────────────────► (production)

                                 ▲

                                 │ merge (after approval)

        feature/add-search  ──●──●──●──► PR opened here

When a PR is opened, teammates can see exactly what lines of code changed (the diff), leave inline comments on specific lines, ask questions, request changes, and ultimately approve or reject the merge.

Most teams also require that automated checks pass — unit tests, linting, security scans — before a PR can be merged. This keeps bad code out of main automatically, not just through human review.

Draft Pull Requests

A developer can open a Draft PR before their work is complete. This signals: "I'm not done yet, but here's the direction I'm heading — early feedback welcome." Draft PRs cannot be merged until explicitly marked as ready for review.

The Pull Request Flow, Step by Step

Developer creates a branch off main — e.g. feature/add-search-bar
Writes code, commits changes to that branch locally and pushes to the remote repo
Opens a PR on GitHub / GitLab / Azure DevOps: "I want to merge my branch into main"
CI pipeline automatically runs — tests execute, linting checks fire, security scans run
Teammates review the diff, leave inline comments, request changes if needed
Developer addresses feedback, pushes additional commits — the PR updates in place
Required number of reviewers approve (usually 1–2 depending on team policy)
PR is merged — CI/CD pipeline triggers and deploys to production

ℹ

RollbackIf a merged PR causes a production issue, the fix is simple: create a revert PR that undoes the merge commit, review it, and merge it. The pipeline redeploys the reverted state. This is the Git equivalent of reverting to a pre-change snapshot.

Branch Protection Rules

Branch protection rules are enforced policies on the main branch (or any branch you designate as protected). They prevent careless or unauthorized changes from reaching production code.

Rule	What It Enforces
Require Pull Request	No one can push directly to `main` — all changes must go through a PR
Require N Approvals	The PR must receive a minimum number of reviewer approvals before it can merge
Require CI to Pass	All automated checks (tests, scans) must succeed — a failing pipeline blocks the merge
Require Linear History	Enforces a clean commit history — no merge commits, only rebased or squashed commits
Dismiss Stale Reviews	If new commits are pushed after approval, previous approvals are invalidated and re-review is required
Restrict Who Can Merge	Only specific teams or individuals can complete the merge, even if approvals are met

✓

Infrastructure ParallelBranch protection rules on main are equivalent to locking down your production environment so that no VM or infrastructure change can be deployed without going through your formal deployment workflow and approval chain.

The Infrastructure Analogy

If you come from a server infrastructure background, you already understand every concept in this article — the terminology is just different. Here is the direct mapping:

Git / Software World	Your Infrastructure World
Feature branch	Dev or test environment — isolated, safe to break
Pull Request	Change request / RFC ticket requiring approval
Code review + approval	Peer review and CAB (Change Advisory Board) sign-off
Merge to `main`	Promoting a change to production
CI pipeline (tests pass)	Pre-flight checks and validation before deployment
CD pipeline (deploy fires)	Your Aria Automation / vRO workflow kicks off post-approval
Revert PR	VM snapshot rollback or config rollback
Branch protection rules	RBAC on production vCenter — changes must go through the workflow
Git blame / history	Change log / audit trail in your ITSM platform
`main` branch	Your golden template — always deployable, always clean

ℹ

The Core PrincipleWhether you're deploying VMs through Aria Automation or deploying code through a CI/CD pipeline, the discipline is identical: the source repository is the source of truth, changes go through a formal review process, and automation handles the actual deployment. Nobody touches production directly.