fix: Command injection in `turbo-ignore` (#11154)
### Description
Fixes a command injection vulnerability in `turbo-ignore` by replacing
`execSync` with `execFileSync` when validating git refs. The old
implementation used shell command strings. The fix ensures that
user-controlled input (like git refs from environment variables) is
passed as literal arguments rather than being interpreted by a shell.
### Testing Instructions
Run the security test: `pnpm test security.test.ts` in
`packages/turbo-ignore`
---------
Co-authored-by: Pyry Takala <pyrytakala@users.noreply.github.com>
Co-authored-by: Anthony Shew <anthonyshew@gmail.com>
Co-authored-by: Anthony Shew <anthony.shew@vercel.com>
