Improve git security settings by daniel-mohedano · Pull Request #10486

Improve git security settings by daniel-mohedano · Pull Request #10486 · DataDog/dd-trace-java
<!-- dd-meta {"pullId":"ad23e77f-8d8f-4ea1-a484-3bb0b68ad3c4","source":"chat","resourceId":"749b6fa5-34f3-493c-bcc7-f06a530c9d72","workflowId":"07fcc514-f724-49d6-add7-a43fe0ed1e87","codeChangeId":"07fcc514-f724-49d6-add7-a43fe0ed1e87","sourceType":"chat"} -->
PR by Bits
[View session in Datadog](https://app.datadoghq.com/code/749b6fa5-34f3-493c-bcc7-f06a530c9d72)

Comment @DataDog to request changes

Feedback (especially what can be better) welcome in [#code-gen-aka-bits-dev-feedback](https://dd.enterprise.slack.com/archives/C07JA5N2D25)!

---

## Description

Improves Git security settings by replacing the global `safe.directory` configuration approach with per-command configuration overrides. Instead of modifying Git's global configuration, the implementation now:

- Resolves the Git repository root from the working directory
- Passes the repository root as a command-line override using `-c safe.directory=<repo>` for each Git command
- Eliminates global Git configuration mutations entirely
- Removes the in-memory cache of safe directory entries

This approach maintains security by limiting safe directory configuration to only the specific repository being accessed on a per-command basis, while avoiding global configuration changes and their associated performance and maintenance overhead.

## Testing

Updated two test cases:
- `test_git_safe_directory_override_added_for_repo_root`: Verifies that Git commands include the `-c safe.directory=<repo>` override for the repository root
- `test_git_safe_directory_override_skipped_without_repo`: Verifies that no override is added when operating outside a Git repository

Removed the mocked `_set_safe_directory` call from `test_extract_git_metadata` to test the actual metadata extraction flow with the new override mechanism.

## Risks

None

## Additional Notes

This implementation aligns with the Java tracer's approach ([PR 10486](DataDog/dd-trace-java#10486)) by using repository-specific safe directory configuration rather than a global wildcard or global entries, improving both security posture and Git configuration cleanliness. The per-command override approach ensures that Git security checks remain effective while allowing the tracer to access metadata from repositories in security-restricted environments.

SDTEST-3222

Co-authored-by: datadog-datadog-prod-us1[bot] <88084959+datadog-datadog-prod-us1[bot]@users.noreply.github.com>
Co-authored-by: datadog-official[bot] <214633350+datadog-official[bot]@users.noreply.github.com>
Co-authored-by: federico.mon <federico.mon@datadoghq.com>