Configure project clone directory as safe by default

Description

The change made in recent Git releases to address CVE-2022-24765 now disallows use of any git commands under the project clone directory if the container runs as a non-root user:

Example scenario:

1. Job runs helper image for clone operation under the build directory as user X
2. Job initiates build image container and the job script after successful clone
3. Build image container runs as a different user Y
4. Build script attempts to clone another repository via git clone as a dependency it requires, with its destination somewhere under the working directory (project clone directory)

The step (4) used to pass prior to use of changes introduced in Git 2.35.2.

Now, the step (4) may fail with the following, and manual safe directory .gitconfig overrides are required to workaround it:

fatal: unsafe repository ('/builds/project/group' is owned by someone else)

Note: The clones are performed by default as root or ContainerAdmin user through GitLab Runner's default helper images.

Proposal

• Add new Runner option SetSafeDirectoryCheckout
• Option should be enabled by default in environments where we're okay to modify global git options.
• Option will be available for other executors, but will be disabled by default.
• When enabled, we run:

  git config --global --add safe.directory /builds/group/project

Workaround options

• The post_clone_script config under [[runners]] section in each runner's config.toml could be used to apply the required command every time:

  [[runners]]
    post_clone_script = "git config --global --add safe.directory $(pwd)"

• Alternatively, another workaround is to add the following to the pre_clone_script config under [[runners]] section in each runner's config.toml:

  [[runners]]
    pre_clone_script = "git config --global --add safe.directory $CI_PROJECT_DIR"