Remove obsolete ref_protected from STS trust policies

[d-niu]

Summary

• Remove ref_protected: "true" from dd-octo-sts trust policy claim patterns

The ref_protected OIDC claim is now obsolete in the DataDog org:

• GitHub: The org-level "incompatible file paths on windows" push ruleset causes ALL branches to report ref_protected: true in OIDC tokens, making it useless as a security signal
• GitLab: All branches on gitlab.ddbuild.io report ref_protected: true due to org-level pushAccessLevels: 40 config

Since the claim is universally true, it provides no actual filtering — only a false sense of security. Removing it has zero functional impact on policy enforcement.

All other constraints (subject, ref, job_workflow_ref, project_path, pipeline_source, etc.) remain unchanged and continue to provide the real security boundaries.

Ticket: https://datadoghq.atlassian.net/browse/SINT-4732

Test plan

• Verify that the remaining policy constraints are sufficient (ref, job_workflow_ref, etc. are unchanged)
• No functional change expected since ref_protected was already always true

🤖 Generated with Claude Code

[github-actions]

CODEOWNERS have been resolved as:

.github/chainguard/self.changelog.sts.yaml                              @DataDog/system-tests-core
.github/chainguard/self.gitlab-read.sts.yaml                            @DataDog/system-tests-core
.github/chainguard/self.k8s_components.sts.yaml                         @DataDog/system-tests-core
.github/chainguard/self.update-agent-protobuf.create-pr.sts.yaml        @DataDog/system-tests-core