Why git reflogs are important, check here. If not opened, paste this url manually.
https://linuxamination.blogspot.com/2021/04/git-reflog-and-its-importance.html
CI / CD was implemented to save the time of everyone in the team who pulls the code on development, staging and production server.
It makes the 'git pull' process automated. Gitlab CI / CD and Jenkins are used by DevOps to achieve this. If you have used Jenkins, you must have created pipelines or jobs to update the code frequently on the server.
Jenkins has its own security policies and if you see carefully, you will find Jenkins asks your git password but it does not show password in plain text, the places where password is visible, either it is in hash or it is with stars like '******@123'.
But if you use third party applications like Jenkins or a Shell Script to pull the code using git on the server, anyone who has access of your server's project directory can read your git password in plain text.
You should try this yourself. cd into your project directory on the server and run command `git reflog`
If reflogs are enabled, you can see the pulled commits with password in the plain text.
If your all code is tested properly on QA server and you do not need this utility on production server, you can simply turn off saving reflogs by setting the following option in the remote git repository.
[core]
logAllRefUpdates = 0
You can remove your git reflogs using following command.
This command will remove all the relogs older than 15 days.
git reflog expire --expire=15.days.ago --expire-unreachable=now --all
You can change the day number to 1 and it will delete all the reflogs of yesterday and older.