If you deliver a Bedrock website to a client, and you want the client to maintain the installation (perform core & plugin updates), you need to allow file mods: add
Config::define('DISALLOW_FILE_MODS', false); to
The main problem with this approach is that it allows users not only to update WP core & plugins, but it also allows users to add plugins. This means when you deploy a new version, these plugins will be deleted.
I created a mu-plugin which disables plugin installation from the WordPress admin. The plugin simply removes the install_plugins capability. I have added a check
'plugin-install.php' != $pagenow, to make sure we can view update notes (changelog).
composer require tombroucke/otomaties-disable-plugin-installation
Be carefull when deploying a new version, because the plugins in your git repository could be out of date, so you need to update them accordingly or you could experience some problems caused by regression.