Many websites that hosted on a single server and maintained by a team of developers – what is the perfect permissions set up?

(Disclaimer: I'm not exactly sure which subreddit was most appropriate for this question. If you have any ideas where it may be better suited please let me know and I'll re-post it there. I posted this on /r/linuxquestions yesterday, but so far haven't had any responses so I thought I'd try and post it here. Thanks.)

TL;DR: Our web project directory on our server is owned by apache and I want all new files to created within that directory (by pulling in changes from our repository, for example) to have apache as the user. When pulling from the repo the owner is set to the currently logged in user rather than apache which means apache can't read the files and the website displays errors. How can I make the user of newly created files always be apache regardless of which user created them? Or what changes should I make to the server and our workflow in order to adhere to best practices and maintain correct file permissions? /TL;DR

I work in a team of five PHP developers. In the last month I've been trying to improve our dev team's processes and implement as many best practices as possible. One of the main changes was to create a user on the server for each of our developers and we SSH into our own personal accounts using SSH keys. This is vast improvement over everyone logging in using root, which is what was happening until about a month ago.

A bit of background about the team and the sites we serve:

• On our single server (CentOS), we serve many sites using name-based virtual hosts.
• Each site is a PHP laravel application, each of which is version controlled in a Mercurial repository.
• Each site project folder is contained within in the /home/www/ directory. (I intend to switch to using the more standard /var/www/ at some point).
• In each project, there is a single directory that need to be writable by the webserver.
• Apache runs as a user named apache.
• We also have a Satis installation (/home/www/satis), where we have to manually run php satis build which writes new directories and files to a directory found within the satis project.

The current deployment process:

• We SSH into the server (as our own personal user) and pull the updates from the project's Mercurial repository by executing hg pull.
• We then run composer install –no-dev.

So, nothing particular special or unique.

The question– How should the users/groups/permissions be structured?

I read this fantastic answer, and it helped a lot: http://serverfault.com/questions/357108/what-permissions-should-my-website-files-folders-have-on-a-linux-webserver . After reading that answer, I concluded the following:

• Each developer should have their own user on the server.
• Each developer's user should be a member of a group, say developers.
• The developers group needs read and write access to all files and folders so that they can run hg pull and composer install and php satis build successfully. Execute permission is not needed on any files for either apache user or developers group.
• apache should not have write access to any files or folders in the project root, except for any directories where write access is specifically granted.

• The project folder permissions should look like this:

  $ ls -l /home/www/ dr--rwx--- 4 apache developers 4096 Apr 30 16:30 website1 dr--rwx--- 4 apache developers 4096 Apr 30 16:30 website2 ... 

• The SGID bit should be enabled on each site project directory so that any new files created within inherit the group of the parent (in this case, developers).

• In directories where apache needs write access I just grant apache write access for that folder on, for example, sudo chmod -R u+w app/storage/ resulting in

  $ ls -l /home/www/website1/app/ dr--rws--- 2 apache developers 4096 Mar 6 14:58 commands ... drw-rws--- 6 apache developers 4096 Apr 30 16:30 storage ... 

First of all, would you agree that everything listed their seems reasonable, and do you have any recommendations to improve this set up further?

The resulting issues
This solution looks good on paper, however it causes the following issues that the answer I linked to doesn't really address:

1. When any developer does any of the following: 1. Updates a site by running hg pull; 2. Updates the project's Composer dependencies by running composer install; 3. We rebuild our Satis installation running php satis build; it results in new files and directories being written to the project directory. The problem is that every new file and directory that is created have the user executing the command's user as the owner, rather than apache. So apache does not have read access to all newly created files, which immediately causes errors. This means the user would have to run, for example, sudo chown -R apache /home/www/website1/ after running any of the above three commands within website1, which just seems messy and not ideal. As far as I'm aware from a bit of Googling, there is no equivalent of SGID for inheriting the user of the parent folder so I'm not sure what the solution is here.
2. I thought that in order to ensure that newly created files and directories have the correct permissions, every developer could set their umask to 460. This should result in all newly created files having the permission -r--rw---- and newly created directories having the permission -dr-xrwx---. However, this of course would apply to that user throughout the entire server, and this is probably not an ideal umask for anywhere other than the web root directories, but I don't think it's possible to limit a umask to a set of directories. I'm not sure what the solution is here either – if I leave the umask unmodified, then all new files and directories are created with permissions that don't match the parent folder.

If anyone has any feedback about anything I've mentioned in this post it would be greatly appreciated. Issue #1 is a particular pain and I just can't think of a good solution so it would be great if you guys have any ideas or suggestions.

Thanks. :)