diff --git a/scripts/ci/build_emscripten.sh b/scripts/ci/build_emscripten.sh
index 04e16293fd96..e4d25f195fb7 100755
--- a/scripts/ci/build_emscripten.sh
+++ b/scripts/ci/build_emscripten.sh
@@ -37,12 +37,13 @@ set -ev
 SCRIPT_DIR="$(realpath "$(dirname "$0")/..")"
 # shellcheck source=scripts/common.sh
 source "${SCRIPT_DIR}/common.sh"
+ROOT_DIR="${SCRIPT_DIR}/.."
 
 function build() {
     local build_dir="$1"
     local prerelease_source="${2:-ci}"
 
-    cd /root/project
+    cd "${ROOT_DIR}"
 
     # shellcheck disable=SC2166
     if [[ "$CIRCLE_BRANCH" = release || -n "$CIRCLE_TAG" || -n "$FORCE_RELEASE" || "$(git tag --points-at HEAD 2>/dev/null)" == v* ]]
diff --git a/scripts/ci/build_ossfuzz.sh b/scripts/ci/build_ossfuzz.sh
index 1240b6877f1a..d4186f816d97 100755
--- a/scripts/ci/build_ossfuzz.sh
+++ b/scripts/ci/build_ossfuzz.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -ex
 
-ROOTDIR="/root/project"
+ROOTDIR="/project"
 BUILDDIR="${ROOTDIR}/build"
 mkdir -p "${BUILDDIR}" && mkdir -p "$BUILDDIR/deps"
 
diff --git a/scripts/ci/docker_upgrade.sh b/scripts/ci/docker_upgrade.sh
index a6b59e157e90..c2077239a5b6 100755
--- a/scripts/ci/docker_upgrade.sh
+++ b/scripts/ci/docker_upgrade.sh
@@ -51,17 +51,12 @@ docker build "scripts/docker/${IMAGE_NAME}" --file "scripts/docker/${IMAGE_NAME}
 
 echo "-- test_docker @ '${PWD}'"
 
-# NOTE: Since /root/project/ is a dir from outside the container and the owner of the files is different,
-# git show in the script refuses to work. It must be marked as safe to use first.
-# See https://github.blog/2022-04-12-git-security-vulnerability-announced/
 docker run \
   --rm \
-  --volume "${PWD}:/root/project" \
+  --volume "${PWD}:/project" \
+  -u "$(id -u "${USER}"):$(id -g "${USER}")" \
   "${IMAGE_NAME}" \
-  bash -c "
-    git config --global --add safe.directory /root/project &&
-    /root/project/scripts/ci/${IMAGE_NAME}_test_${IMAGE_VARIANT}.sh
-  "
+  bash -c "/project/scripts/ci/${IMAGE_NAME}_test_${IMAGE_VARIANT}.sh"
 
 echo "-- push_docker"