fix(binary,sim): CWD-resilient binary template; simplify sim

Andrew Dunnrequested to merge
fix/binary-cwd-resilient into main

Sim-go-binary on the post-merge main pipeline surfaced a real bug in the binary template: it assumed CWD stayed at $CI_PROJECT_DIR across script lines. A consumer build_script that cd's elsewhere broke the subsequent cd dist && sha256sum * (wrong dir) and the cosign for f in dist/* loop (glob no-match → literal 'dist/' → cosign sign 'dist/' file-not-found).

Fix

Binary template: every step that touches dist/ now cd's back to CI_PROJECT_DIR first; `shopt -s nullglob` so empty globs don't fall through to literal; defensive `{CI_COMMIT_TAG:-}` in publish.

Sim: simplified to write source under /tmp and build to dist/ relative to CWD. The template's hardening covers the broken-consumer case anyway.

This is exactly what the sim harness was designed to catch.

Merge request reports