tooling: point git to directory instead of disabling security features

Easier to maintain version of 7c2b552
that additionally does not fiddle with security sensitive settings.

.github/actions/alpine-pandoc-hugo/Dockerfile

@@ -7,6 +7,4 @@ RUN apk --no-cache add ruby git
 COPY delete-script.rb /opt/delete-script.rb
 RUN chmod +x /opt/delete-script.rb
 
-RUN git config --global --add safe.directory /data
-
 ENTRYPOINT ["sh", "-c"]

Makefile

@@ -33,8 +33,17 @@ ifneq ($(DOCKER), false)
 DOCKER_IMAGE      = alpine-pandoc-hugo
 DOCKER_COMMAND    = docker run --rm -i
 DOCKER_USER       = -u "$(shell id -u):$(shell id -g)"
-DOCKER_VOLUME     = -v "$(shell pwd):/data" -w "/data"
-DOCKER_TEX_VOLUME = -v "$(dir $(realpath $<)):/data" -w "/data"
+# GIT_DIR ensures that git works with the repository
+# no matter the owning user of the directory.
+# see https://github.com/Compilerbau/CB-Lecture-Bachelor/pull/16 for the discussion
+# around this specific workaround and
+# https://github.blog/2022-04-12-git-security-vulnerability-announced/ &
+# https://stackoverflow.com/questions/71901632/fatal-error-unsafe-repository-home-repon-is-owned-by-someone-else
+# for a general overview of the issue.
+#
+# ***Important***: keep the location of GIT_DIR in sync with the mountpoint of the repository inside the container.
+DOCKER_VOLUME     = -v "$(shell pwd):/data" -w "/data" --env GIT_DIR=/data/.git
+DOCKER_TEX_VOLUME = -v "$(dir $(realpath $<)):/data" -w "/data" --env GIT_DIR=/data/.git
 
 PANDOC        = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="pandoc"                $(DOCKER_IMAGE)
 HUGO          = $(DOCKER_COMMAND) $(DOCKER_VOLUME)     $(DOCKER_USER) --entrypoint="hugo"                  $(DOCKER_IMAGE)