The TYPO3 backend get's an additional .htaccess linked in /typo3 to add further access restrictions (e.g. based on IP ranges) in this snippet

config-typo3backend-.htaccess

#
# Limit access to /typo3/ (TYPO3 backend, TYPO3 Install Tool/Admin Tools)
#
Order deny,allow
Deny from all
# VPN Clients
Allow from 10.10.89.0/24
# Allow from localhost
Allow from 127.0.0.1

Makefile_Snippet_TYPO3_backend_restriction

# a) set env var initially to false
DEVELOPMENT_ENVIRONMENT_ACTIVE = FALSE

# b) set env var to true if env var CI_PROJECT_DIR is not set at all or is empty (The name of the variable is given by GitLab CI)
ifeq ($(CI_PROJECT_DIR),)
    DEVELOPMENT_ENVIRONMENT_ACTIVE = TRUE
endif
# In an local environment the value will be TRUE now. So we can use this in IF queries in our Makefile

# ...
# other makefile targets
# ...

# c) add the target und run the commands only in non local development environments
app/public/typo3/.htaccess:
ifeq ($(DEVELOPMENT_ENVIRONMENT_ACTIVE),FALSE)
	echo "Linking .htaccess into document root /typo3/ (limit TYPO3 backend access)" \
	&& cd app/public/typo3 && ln -sf ../../config/typo3backend/.htaccess
endif

# FINAL INFO:
# in a real world scenario the shown target has of course a dependency on "app/vendor/autoload.php" (another target) which runs the proper `composer install` commands. Because based on your project setup you probably have no public/ directory in you GIT repository.