Git for Sysadmins: Beyond the Basics
Git is not just for developers. System administrators use it to track
configuration changes, manage infrastructure-as-code repositories, and
coordinate changes across teams. This guide goes beyond git add and
git commit to cover the workflows that matter in operations.
Branching and Checkout
Create a feature branch for every change, no matter how small:
# Create and switch to a new branch
git checkout -b feature/update-nginx-config
# List all branches (local and remote)
git branch -a
# Switch back to main
git checkout main
A common convention for infrastructure repos is to use prefixes like
feature/, fix/, and release/ so the purpose of each branch is
immediately clear.
Merging Strategies
Fast-forward merges keep history linear but lose the branch context. Use
--no-ff when you want an explicit merge commit:
# Merge with an explicit merge commit
git merge --no-ff feature/update-nginx-config
# Delete the branch after merging
git branch -d feature/update-nginx-config
Interactive Rebase
Before merging a long-lived branch, clean up the commit history:
# Rebase the last 5 commits interactively
git rebase -i HEAD~5
In the editor, use pick, squash, reword, or drop to reshape commits.
Squashing "WIP" commits into a single logical change makes the history far
easier to audit later.
Warning: Never rebase commits that have already been pushed to a shared branch. Rewriting shared history causes merge conflicts for everyone.
Cherry-Pick
Pull a single commit from another branch without merging everything:
# Apply a specific commit to the current branch
git cherry-pick a1b2c3d4
# Cherry-pick without committing (stage only)
git cherry-pick --no-commit a1b2c3d4
This is invaluable when a hotfix lands on main and you need it in a
long-running release branch.
Git Hooks
Hooks let you enforce standards automatically. The most common hook for
sysadmins is pre-commit:
#!/usr/bin/env bash
# .git/hooks/pre-commit -- block commits containing secrets
if git diff --cached --diff-filter=ACM | grep -qEi '(password|secret|api_key)\s*='; then
echo "ERROR: Possible secret detected in staged files."
exit 1
fi
Make the hook executable:
chmod +x .git/hooks/pre-commit
Other useful hooks include commit-msg (enforce message format) and
pre-push (run linting or tests before pushing).
Git Bisect
When something breaks and you have hundreds of commits to sift through,
bisect finds the offending commit with a binary search:
git bisect start
git bisect bad # current commit is broken
git bisect good v1.2.0 # this tag was known-good
# Git checks out a midpoint; test it, then:
git bisect good # or "git bisect bad"
# Repeat until Git identifies the first bad commit
git bisect reset # return to your original branch
You can automate bisect with a test script:
git bisect run ./test-config.sh
GitOps Patterns
GitOps uses a Git repository as the single source of truth for infrastructure. The typical workflow:
- All infrastructure definitions (Terraform, Kubernetes manifests, Ansible playbooks) live in a Git repo.
- Changes go through pull requests with peer review.
- A CI/CD pipeline applies the changes automatically on merge.
- A reconciliation loop (e.g., Flux or ArgoCD) ensures the live state matches the repo.
repo: infra-prod/
├── terraform/
│ ├── main.tf
│ └── variables.tf
├── ansible/
│ ├── inventory.yml
│ └── site.yml
└── k8s/
├── deployment.yaml
└── service.yaml
Managing Infrastructure Repos
Tips for keeping infrastructure repositories maintainable:
- One repo per environment or use directory-based separation
(
environments/staging/,environments/prod/). - Pin versions of modules, images, and packages in every file.
- Use
.gitignoreto exclude generated files, state files, and secrets:
# .gitignore for Terraform repos
*.tfstate
*.tfstate.backup
.terraform/
- Protect the main branch with required reviews and status checks.
- Sign commits with GPG for audit trails in regulated environments.
git config user.signingkey YOUR_GPG_KEY_ID
git config commit.gpgsign true
Return to the DevOps hub or continue to Docker Guide and CI/CD Pipelines.