fix: git config system

[DeveloperC286]

Changing the Make target Docker command to mimic the GitHub Actions environment to cause the same failure.

• https://git-scm.com/docs/git-config#Documentation/git-config.txt---global

--global
For writing options: write to global ~/.gitconfig file rather than the repository .git/config, write to $XDG_CONFIG_HOME/git/config file if this file exists and the ~/.gitconfig file doesn’t.

For reading options: read only from global ~/.gitconfig and from $XDG_CONFIG_HOME/git/config rather than from all available files.

• https://git-scm.com/docs/git-config#Documentation/git-config.txt---system

For writing options: write to system-wide $(prefix)/etc/gitconfig rather than the repository .git/config.

For reading options: read only from system-wide $(prefix)/etc/gitconfig rather than from all available files.

[claude]

PR Review: fix: git config system

Summary

This PR addresses a Git safe.directory configuration issue to make the Docker environment match the GitHub Actions environment. The changes are focused and appropriate for fixing the specific issue described.

Code Quality and Best Practices

Dockerfile (Dockerfile:4-5)

• ✅ Good: The git config command is properly chained with && to the apk install command, ensuring proper error handling
• ✅ Good: Uses --system flag appropriately for system-wide configuration
• ✅ Good: The wildcard '*' allows any directory to be treated as safe, which is appropriate for a containerized CI environment
• ⚠️ Note: Using safe.directory '*' is a broad permission. This is acceptable in a controlled CI/Docker environment but should be documented in the PR description why this is needed (appears to be related to Git ownership checks in containerized environments)

Makefile (Makefile:111)

• ✅ Good: Changed from DOCKER_RUN_WRITE_OPTS to DOCKER_RUN_OPTS - this is correct since the dogfood target is read-only (just linting commits)
• ✅ Good: Added environment variables (HOME=/github/home, GITHUB_ACTIONS=true, CI=true) to mimic GitHub Actions environment exactly
• ✅ Good: This helps reproduce GitHub Actions failures locally, which is excellent for debugging

Potential Bugs or Issues

1. No issues identified - The changes are straightforward and address the specific problem described in the PR
2. The switch from DOCKER_RUN_WRITE_OPTS to DOCKER_RUN_OPTS in the Makefile is correct since:
   • The dogfood task only reads the repository to lint commits
   • It doesn't need write permissions or user mapping
   • This aligns with other read-only targets like check-rust-formatting (line 27)

Security Considerations

1. Git safe.directory wildcard (Dockerfile:5)

   • ⚠️ Low Risk: Using safe.directory '*' disables Git's ownership checks
   • This is acceptable because:
     • The container is ephemeral and single-purpose
     • The container is used in CI/automation contexts
     • There's no untrusted code execution risk in this specific use case
   • However, this should NOT be copied to other contexts where security boundaries matter

2. Environment variables (Makefile:111)

   • ✅ No sensitive data exposed
   • ✅ Only sets standard CI indicator variables

Performance Considerations

• ✅ No performance impact: Changes are configuration-only
• The Dockerfile change happens at build time, so no runtime overhead
• Environment variables in the Makefile have negligible overhead

Test Coverage

1. Existing tests apply: The PR doesn't add new functionality, so existing end-to-end tests should validate the fix

2. Manual testing recommended:

   • ✅ Run make dogfood-docker locally to verify it now works like GitHub Actions
   • ✅ Verify the Docker image builds successfully
   • ✅ Ensure the dogfood workflow passes in CI

3. Suggestions:

   • Consider adding a test case that validates the Docker environment can access git repositories without ownership errors
   • The existing end-to-end-tests should cover functionality, but a specific test for git access in Docker could prevent regression

Additional Recommendations

1. Documentation: Consider adding a comment in the Dockerfile explaining why safe.directory '*' is needed:

   # Configure git to trust all directories in container environment
   # Required because GitHub Actions runs git operations with different ownership
   git config --system --add safe.directory '*'

2. Commit message: ✅ Follows conventional commits format with "fix:" prefix

3. PR description: ✅ Well documented with links to git-config documentation

Overall Assessment

Approval: ✅ LGTM (Looks Good To Me)

This is a clean, focused fix that:

• Properly addresses the GitHub Actions environment mismatch
• Uses appropriate Git configuration for containerized CI environments
• Maintains code quality and follows repository conventions
• Has no security concerns for the intended use case

The changes are production-ready pending successful CI checks.