testcfg: Fix building binaries as unprivileged user with Go 1.18+
Our CI pipelines execute tests as unprivileged user so that we can verify that all tests pass without any additional capabilities and that tests don't write any data into the source tree. This broke for our nightly jobs though with the recent update to Go 1.18 because we now fail to build the auxiliary Go binaries.
The root cause is a combination of two things:
- Go 1.18 started to query the repository for VCS information so
that it can embed that information into the resulting Go binaries.
- Git has addressed CVE-2022-24765 and won't open repositories by
default anymore that aren't owned by the current user.
So when testing with recent Go and Git versions as unprivileged user then Go will try to extract the VCS information, but Git will refuse to operate.
Fix this by declaring the source directory as "safe". While this is not
necessarily the case, it doesn't compromise our security any more than
before: if an adversary was able to write to the .git/config
file,
then the very same adversary would also able to just touch up the source
code of Gitaly itself. So that adversary could obtain arbitrary code
execution by just changing whatever is executed as part of our tests.