Does your choice of configuration management tool (Ansible, SALT, Puppet, Chef, etc) control tier 0 assets? (Authentication/directory servers, network equipment, etc)
Do you consider your CM tool tier 0?
If so, do you only allow access to it via privileged access workstations?
Would you use GIT for the code repository?
What about if the GIT repo was local and also controlled as a tier 0?
What does your CM setup look like?