fix(instrumentation): instrument command execution

[jamietanna]

Changes

As part of ongoing work to improve OpenTelemetry instrumentation of
Renovate in #38609, we can introduce an instrumented call for each
external command execution.

This makes sure we cover the two key functions used for command
execution - exec and rawExec.

Because commands could include sensitive arguments (such as repo or
global secrets) we need to make sure we sanitize the span name.

Context

Please select one of the below:

• This closes an existing Issue: #
• This doesn't close an Issue, but I accept the risk that this PR may be closed if maintainers disagree with its opening or implementation

AI assistance disclosure

Did you use AI tools to create any part of this pull request?

Please select one option and, if yes, briefly describe how AI was used (e.g., code, tests, docs) and which tool(s) you used.

• No — I did not use AI for this contribution.
• Yes — minimal assistance (e.g., IDE autocomplete, small code completions, grammar fixes).
• Yes — substantive assistance (AI generated non‑trivial portions of code, tests, or documentation).
• Yes — other (please describe):

Documentation (please check one with an [x])

• I have updated the documentation, or
• No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

• Code inspection only, or
• Newly added/modified unit tests, or
• No unit tests but ran on a real repository, or
• Both unit tests + ran on a real repository

The public repository: https://github.com/JamieTanna-Mend-testing/backstage

When using:

module.exports = {
  secrets: {
    FAKE: "renovate/",
    FAKE_2: "yarn",
  }
}

[jamietanna]

Thoughts on how to get that coverage up?

[RahulGautamSingh]

LGTM. Not sure how to go about the tests :)

[viceice]

you can mock the instrument function to simply call the callback in tests