Nothing wrong with the workflow, per se. But generally the "canonical" repository is separate, and you deploy to your production server manually with some other mechanism like rsync. This way:
Your production server updates aren't tied to your development workflow. If your production server (ever!) needs any work done after a code change—restarting the webserver, flushing some cache, making a schema change, etc.—then suddenly production system concerns are interfering with your ability to update code and that sucks.
You don't have to worry about accidentally leaking access to your
.git
directory and exposing all your source code and development history.It takes two accidents to break the site (ruin master and deploy) instead of just one (ruin master).
Perhaps not a concern with just the two of you, but it's useful to have the "update the site" button have different authorization than the "update the code" button.
Staging servers exist to be like production, but breakable. You only have two developers, yet you're already using wildly different operating systems; I'm fairly certain at least one of you is not using a development environment identical to production. :)
And no, you can't add files to a bare repository. You need a working copy to do anything with the working tree.