Backport of "fix: Fix malformed safe.directory in workflows"

What does this MR do and why?

Backport of !234827 (merged) ("fix: Fix malformed safe.directory in workflows") into 19.0 stable.

The Duo Workflow / DAP SAST Vulnerability Resolution flow sets safe.directory to a malformed value (${CI_PROJECT_DIR}, a Ruby string literal that Git receives verbatim, never shell-expanded), which breaks the flow on non-root CI runners. This affects regulated GitLab Dedicated and self-managed customers running non-root. The fix sets it to /builds/*, a valid glob safe.directory accepts since Git 2.35. One-line static-string change plus its spec.

• Original MR (merged to default, deployed to GitLab.com): !234827 (merged)
• Backport context: gitlab-org/release/tasks#27029 (self-serve backport into the 2026-06-24 patch; no exception required per the N/N-1/N-2 maintenance-policy extension)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• This MR is backporting a bug fix, documentation update, or spec fix, previously merged in the default branch.
• The MR that fixed the bug on the default branch has been deployed to GitLab.com (not applicable for documentation or spec changes).
• The MR title is descriptive (e.g. "Backport of 'title of default branch MR'"). This is important, since the title will be copied to the patch blog post.
• Required labels have been applied to this merge request
  • severity label and bug subtype labels (if applicable)
  • If this MR fixes a bug that affects customers, the customer label has been applied.
• This MR has been approved by a maintainer (only one approval is required).
• Ensure the e2e:test-on-omnibus-ee job has succeeded, or if it has failed, investigate the failures. If you determine the failures are unrelated, you may proceed. If you need assistance investigating, reach out to a Software Engineer in Test in #s_developer_experience.

Note to the merge request author and maintainer

If you have questions about the patch release process, please:

• Refer to the patch release runbook for engineers and maintainers for guidance.
• Ask questions on the #releases Slack channel (internal only).
• Once the backport has been merged, the commit changes will be automatically deployed to a release environment that can be used for manual validation. See after merging runbook for details.