[zimbatm]

Another major flaw:

Transparent decryption sounds nice. Until you commit decrypted secrets by mistake.

Because the encryption/decryption is transparent, you won't notice if the .gitattributes pattern-matching is wrong until it's too late.

I did this myself and saw it happen in the wild as well.

[drjasonharrison]

using pre-commit with a hook to prevent secrets from being committed provides a bit more help preventing this mistake. Nor full-proof because you could always commit say a base64 encoded .env file.

[_w1tm]

That relies on the user configuring git hooks correctly, which is a similar problem as noticing that transparent decryption is configured correctly.