FF_GIT_URLS_WITHOUT_TOKENS defaults to true

What does this MR do?

Starting in GitLab 18.0 FF_GIT_URLS_WITHOUT_TOKENS defaults to true.

FF_GIT_URLS_WITHOUT_TOKENS	behaviour
on	URLs in the repo's git config, command line calls, and other configs do not include the token, e.g. they look like https://gitlab.com/project/repo.git For authentication, gitlab-runner sets up a custom git credential helper, which pulls the credentials from the environment
off	URLs in the repo's git config, command line calls, and other configs do include the token, e.g. they look like https://user:<TOKEN>@gitlab.com/project/repo.git

Users that install and configure GitLab Runner can set the value to false to opt out.

While working on this MR, we've found additional issues:

• Issues with command line arguments when setting up the cred helper with powershell/pwsh

  Different versions of powershell handle arguments to external commands differently. Also there is an experimental feature for pwsh 7.2.x for argument handling. The exact version and experimental features can only be discovered at runtime. Thus the whole cred helper setup has been pushed to the shell writer and those specifics are handled there.

• Issue with git stragety "clone" and FF_USE_GIT_NATIVE_CLONE

  This was recently merged, but was not implemented with the git cred helper in mind. This was back-filled and tests for native clone have been added.

Why was this MR needed?

To limit the potential of token leakage

What's the best way to test this MR?

• run a job without changing this FF (ie. have it enabled)
• use a private repo
• potentially test variations:
  • test with private submodules
  • test with different executors, different shells, different OSs
  • test with powershell variations
    • pwsh 7.2.x with PSNativeCommandArgumentPassing enabled and disabled
• see that the repo can be pulled in

In case we find a combination of executor/shell/OS/config where this does not work, the previous behavior can be restored by explicitly setting this FF to false.

What are the relevant issue numbers?

Some history related to this FF:

• Limit token exposure (!5031 - merged) initial implementation and defaulted to true
• Disable FF_GIT_URLS_WITHOUT_TOKENS by default (!5088 - merged) changes to default false
• Fix auth issues with FF_GIT_URLS_WITHOUT_TOKENS: 1 (!5103 - merged) fixes implementation issues and improved test coverage
• Allow OS overwrite via ShellScriptInfo (!5384 - merged) fixes an issue with the cred helper on powershell
• Fix CI_JOB_TOKEN storage and removal of credent... (!5430 - merged) changed implementation, so that its not a breaking change
• Simplify git credential get (!5447 - merged) simplifies the custom git cred helper command across shells/OSs
• https://gitlab.com/gitlab-org/ci-cd/runner-tools/runner-kubernetes-infra/-/merge_requests/12+ sets the FF to true on our test infra

closes the following issues:

• closes: #38301 (closed)
• closes: https://gitlab.com/gitlab-org/gitlab/-/issues/474043
• closes: https://gitlab.com/gitlab-org/gitlab-runner/-/issues/29655
• closes: #38773 (closed)