How do you handle the database in your git Repositories? I'm asking because I never found a good solution for Version control of Systems like Joomla and WordPress. Optimally I'd like to be able to install and Setup a plugin on my Dev machine, then push that to production, as I would do with, for example a Rails App.
We only version the wp-content folder. We have automated db backups that we retain in multiple locations on a schedule.
Our hosts let us duplicate the db various ways between staging/prod and we just do a copy and search+replace for local development. We used to use WP DB Migrate Pro for that last part but it is buggy to the point of nonfunctional now.
So yes, you do have to do plugin setup/site configuration on dev, staging and prod. I don't see a good workaround for that, but the duplication of work leading up to production has allowed us to catch problems before hitting production.
Take a look at VersionPress.
Have their access be just the content and limited/filtered by role. The built-in roles need virtually no tweaking.
We have our WordPress sites as git repositories and build via CircleCI, Ansible and Composer. For Multisite instances we use Composer and Satis and keep the themes in their own repositories and use tagged releases to manage our multisite build using CircleCI and Ansible again.
We use two-factor auth for Wordpress login (currently Duo on non-multisite installs). Nobody gets to install plugins. Nobody writes files into folders manually.
Minimal plugin usage is a solid recommendation.