I once worked in a git repository that required those kinds of restrictions.

This was within a bank and the code in question was related to enabling Apple Pay from within the banking application. The consequences of that information and code leaking or being seen by anyone who had not signed the NDA were very serious (don't remember the details but it made the lawyers were extremely stressed about it).

Needing to figure out a way to protect those parts of the codebase it was decided in the end that the "easiest" way of doing this was to split the repository in half, with the actual artifact building taking place from the half that had the NDA code. The rest of the application (basically the whole application) was then used as a dependency by it.

Still didn't quite solve the issue, but access to that repository was heavily controlled.

That always seemed crazy to me about git. Permissions are a pretty basic enterprise offering.

Does Gitlab do better with this?

Try gitolite?

https://gitolite.com/gitolite/index.html

It has fine-grained permissions but works with regular git clients.

That's by design of git, you can't forget that git is first developed for a bazaar model of information flow, especially with a big decentrailized project like the Linux Kernel, not the silo and isolated corporate NDA and closed model you described. Git prefers open information and discourages information closures and segregation of information by placing restrictions exactly like this.

Git enthusiast would often tell you to do this separately with a submodule, and set permission on the version control forge software level (which means Gitea/Github private RBAC access to certain repos for cloning), sure, but that is also painful as hell.

But my point is that all of this is exactly by design from Linus Torvalds's need for Linux Kernel to replace BitKeeper. Git simply isn't the tool for everything, it was developed for a software project with liberalism in mind, but corporate stuff is monoculture and prefers proprietary, shut-in model, and the eat your own dog food mindset, and no wonder it is so painful to deal with.

I ended up writing my own layer over git for permissions for a specific client a long time ago. It has a huge amount of useful features - sadly, I never took the idea further.

The way I usually solve this is by using git submodules.

> That's not something that you can do in git: it's all or nothing.

That is partially incorrect; you can restrict writes via hooks but not reads; you'd need a workaround like submodules

Doesn't git crypt solve this? You can have encrypted blobs in a repo that will be auto decrypted if you have a working key.

My teaspoons are terrible at peeling potatoes.

Git has no built in authentication or RBAC. Thats not what its for. Its flat file source control.

I swear loads of people havent a clue how git works or why it exists...most of the git based cloud services out there are 90% additional crap bolted on.