Not sure it matches exactly your request...
However, if you look at this Use of NodeRed for international weather, climate, ocean, hydrology data exchange and that GitHub - golfvert/WIS2-GlobalBroker-NodeRed: Basic reference of a Global Broker for WIS2 it is kinda close.
The github repository is managed throughout the "project" feature of NodeRed. Then, when changes are made, a new docker image is made with the updated set of flows.
So, upgrading the flows is made by an upgrade of the docker container version.
The parameters (env variables) used within the various nodes are initialised using docker compose.
All this is currently deployed on an on-premise openstack cluster. Using ansible you can easily update all the docker-compose and then, done.
Fairly close to your 2., 3. and 4. I think.
