We have our project on /var/www and it is owned by user www-data.
I would like to create an automation for deploy so I do:
www-data/var/www/somefolder git pull and all the relevant stuff.Is it secure to log in with www-data through ssh and perform these actions?
Or should I log in with a different user and then give him www-data group? Or log in with different user and then su www-data and than do the work?
The problem with this isn't so much that it is insecure to log in as www-data but that it is insecure to have your entire website writable by that account. You should use another account for managing your website files which has write permissions to the directories. That user should own the files (and is generally also in the www-data group but this isn't absolutely needed). You will then be able to set the permissions you need by using the group permissions to specify what the website can do and user permissions to specify what your management account can do. You probably won't ever need to give any permissions to others for these files.
This management account should also be able to sudo chmod (and probably sudo chown) those files as needed in order to allow the website write permissions on specific folders in your site (such as a temp folder). If you do not want to allow that by this user then you'll need to provide folders for this purpose that you require website managers to use.
Edit: You can also remove read permission on files to remove them from the website without deleting them. This is a little less safe to do though because you may accidentally set it back without knowing when you upload it next time. This is why I would also suggest always writing a publish script to automate uploading your files and doing these sort of changes so they are never forgotten.
I also faced this problem, we have to make sure all have www-data permissions. I solved my problem by using these commands.
sudo usermod -aG www-data $USER
sudo chown -R www-data:www-data /var/www/
sudo chown -R $USER /var/www/
