How does GitRoot handle security without a database or an API?

It's a system based entirely on your repo's configuration and how git works.

When you create a repo, your public SSH key is saved in the file: `.gitroot/users.yml`. You are automatically added to the `owner` group in that file. This group is marked to manage your default branch (main by default).

So, what does this mean in practice?

If you push to main: GitRoot checks your SSH key, sees you're the owner, and accepts the push. If someone else tries to push to main: their SSH key doesn't match the owner group. GitRoot rejects the push.

But here's the cool part: anyone can create a new branch (feature-fix for example) and push their changes to that branch.

This creates a perfect workflow: you, as the owner, remain the sole manager of the main branch and are the only one who can review and merge changes from other contributors. Contributors don't need to fork for contributions.

It's your repository, and you have the freedom to configure these rules however you want, right in that YAML file.

Learn more about user management: https://gitroot.dev/doc/#users

More tips:
- disable anonymous pushes: https://gitroot.dev/doc/how-tos/no_anonymous_user.html
- let all contributors write to all branches: https://gitroot.dev/doc/how-tos/contributors_can_write_all.html

#git #forge #configuration #ssh #security #devops