git: Restrict spawned commands to a specific dir
Git commands can be created in Gitaly using the New() or NewWithoutRepo() command factory functions. The former executes the Git command in the context of a repository (by setting the --git-dir option) while the latter simply omits this option. In both cases, the command itself will be spawned in whatever the current directory is.
This has recently caused some test failures in CI which could not be reproduced locally because the Git command in question was not running in the context of a repository in CI, but was locally (in the local Gitaly source tree).
Modify the command options so Git commands are always spawned within a known working directory. This is either a fixed scratch directory within the Gitaly runtime dir for commands that don't need a repository, or the repository's relative path otherwise.
Specify GIT_CEILING_DIRECTORIES to be the same directory so Git does not venture outside of its working directory.