Our VCS support should allow multiple URLs for the same template and create a union of all files. That allows them to have separate governance for individual subsets of files, for instance to more tightly limit who has access to sensitive data contained in one file.

So, our whole model becomes more complex when we assume that sensitive data will be in both the templates and the provisioner environment. See our recommended approach to secrets here.

Most git providers support CODEOWNERS so they can finely control edit access in the repo without us adding an additional feature.

our whole model becomes more complex when we assume that sensitive data will be in both the templates and the provisioner environment

Yeah. I'm not expressing a preference. I'm just predicting what customers will want.

Also, there are different kinds of sensitive data that may appear in templates. It's not just authentication secrets.

Especially could be a concern interfacing with legacy systems that aren't compatible with more modern auth*.

I really like the idea of git-backed templates since I think that's the way that most people that are seriously using the product are going to want to source-control their workspace configuration. Some thoughts on how this would be implemented:

• Are we introducing a new template "type" or are we doing away with our current model of coderd hosting the template archives? Eliminating the current model is the simplest way but it is backwards breaking (although I don't think we should care about this that much this early into the project).

• Only git-backed templates also makes the initial experience more arduous. Right now a user downloads coderd, runs like 3 commands, and they have a workspace. If we move to purely git and a user needs to make some minor changes to our base templates, then they have to setup an oauth app or github/gitlab/bitbucket app (GitHub specifically is deprecating OAuth apps I'm pretty sure) in order for coderd to pull the template correctly. That's a lot of work to just check out the product.

• If we introduce a new concept of "git templates" to sit alongside "local templates", then we have the added cognitive overhead of having to think through both flows whenever we want to make a change to templates. Commands like coder template push/pull also become conditional based on the template. Does template push/pull no-op for git-backed templates since it's all done via git?

It's worth mentioning that people can use git right now to version control their templates. Their CI would just run templates update or whatever. Obviously this still allows a user to potentially accidentally overwrite the wrong template, but maybe if we have finer-grained RBAC we can recommend that customers remove that permission for all users except whatever service account their CI is using.

@sreya all good concerns — perhaps we should resolve #2987 before this one?

This issue is becoming stale. In order to keep the tracker readable and actionable, I'm going close to this issue in 7 days if there isn't more activity.

This issue is becoming stale. In order to keep the tracker readable and actionable, I'm going close to this issue in 7 days if there isn't more activity.