1 files changed, 8 insertions, 6 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 149b4cd2a..38a6a4133 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -157,16 +157,17 @@ build:binaries:
 test:
   <<: *test_definition
   script:
-    # This command will make all directories except of our build directory and Ruby code unwritable.
-    # The purpose is to verify that there is no test which writes into those directories anymore, as
-    # they should all instead use a temporary directory for runtime data.
-    - find . -type d \( -path ./_build -o -path ./ruby \) -prune -o -type d -exec chmod a-w {} \;
     # If we're testing with bundled Git, then we don't want to have the Git
     # installation around. Otherwise, Git would be able to resolve its binaries
     # by just looking at its own GIT_PREFIX and then pick binaries from that
     # installation directory.
     - if test -n "${WITH_BUNDLED_GIT}"; then rm -rf _build/deps/git/install; fi
-    - make ${TARGET}
+    # We need to prepare test dependencies as privileged user.
+    - make build prepare-tests
+    # But the actual tests should run unprivileged. This assures that we pay
+    # proper attention to permission bits and that we don't modify the source
+    # directory.
+    - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease
   parallel:
     matrix:
       # These definitions are for the non-default Git versions.
@@ -234,7 +235,8 @@ test:nightly:
   <<: *test_definition
   script:
     - go version
-    - make all ${TARGET}
+    - make build prepare-tests
+    - setpriv --reuid=9999 --regid=9999 --clear-groups --no-new-privs env HOME=/dev/null make ${TARGET} SKIP_RSPEC_BUILD=YesPlease
   parallel:
     matrix:
       - GIT_VERSION: [ "master", "next" ]