In a monorepo situation, can you restrict read access for certain branches/directories, or is it just writes e.g. push/merge. I was under the impression that isn't really possible given how git works but I thought I'd still ask, just in case.
As others have said, read access for refs / directories is a bit more complicated than just embedding a secret in the repository given how Git works. We have more exploring to do but it's possible that this isn't easy to implement without leaking some information about directory structure and so on, especially if someone can access one branch but not another.
Read access can't really be partially restricted in git, because git is content addressed. Without the data you can't construct the sha hash, so there's no way to address a commit at all. You could publish partial data, and you could generate new partial commits for that data, but it would probably not be very useful outside of a very niche use case.
with the sparse checkout/partial clone features there's no particular reason you couldn't enforce partial read access: the way git tree hashes work, if you don't change anything in a subdirectory, the contribution of that hash to the tree doesn't change. So as long as you have the hash of that directory you don't need the contents to construct a new commit. The same is true for files themselves: the main thing that must be known is that if you are a file you must know the contents of it, and the directory listing of all the parent folders up to the root. Everything else you only need to know the hash. This is how sparse checkouts work and still allow commits, and it can be turned into partial read access by only allowing sparse checkout and not allowing the content of those directories to be sent to the client.
Thanks for this excellent explanation. I'm not aware of any software that makes this easy e.g. like gitolite or gitlab but I'm pleased to now realise this isn't because it's not possible! I think there would be a lot of value in someone providing this feature.
That is true! I forgot about that. You need to be able to read metadata, including file names, but not the actual contents as the hash would suffice. That sounds like the start of quite a fun project!
Restricting read access is one of the missing features in monorepos. While they make a lot of stuff easier and trackable, I don't feel comfortable having every temporary consultant having access to all code at once.
