Everything I've written about git, organized by type.

Reference

Extending Git Functionality — A practical guide to the different ways you can extend git: subcommands, filters, hooks, remote helpers, and more.
Git's Magic Files — Magic files and where to find them: .gitignore, .gitattributes, .mailmap, .git-blame-ignore-revs, .lfsconfig, and more.

git-pkgs

Making git-pkgs feel like Git — What it takes to make a git subcommand feel native.
Rewriting git-pkgs in Go — The dependency history tool is now a single Go binary.
git-pkgs: explore your dependency history — A git subcommand to explore the dependency history of your repositories.

GitHub

Community Tools Bring Lockfile Support to GitHub Actions — Community projects gh-actions-lockfile and ghasum address GitHub's missing lockfile support with SHA pinning and integrity verification
GitHub Actions Has a Package Manager, and It Might Be the Worst — GitHub Actions has a package manager that ignores decades of supply chain security best practices: no lockfile, no integrity verification, no transitive pinning

Deep dives

Package managers keep using git as a database, it never works out — Git repositories seem like an elegant solution for package registry data. Pull requests for governance, version history for free, distributed by design. But as registries grow, the cracks appear.

Everything else

Revisiting Gitballs — Nine years ago I experimented with storing package tarballs as git objects. A visit to Software Heritage got me thinking about it again.