I'd say it depends on what you're working on. If you're working for a single company, it only makes sense to put WP into repo, to be able to track changes and all. If it is something separate, like plugin or theme, I think you just define WP version in style.css with:
Requires at least: 5
Tested up to: 6.8
And that's it. As for being safe in prod, if you have staging server, you version your updates thru versioning system, and do not change anything on stage/prod manually (only thru pushes), and test your code well, you should be fine. No?