How to list all files with only arbitrary file path read, but no directory listing nor sudo?

You can try other locate implementations that index world-accessible files in a world-readable index, typically located at /var/lib/locate/locatedb or /var/cache/locate/locatedb or some such.

I don't see a lot of need for file listing to escalate your access on a typical server. Usually you'd know what application you're attacking and retrieve its configuration files and its database and obtain credentials this way. You might try files such as .netrc, .ssh/id_rsa and .ssh/config to see if the account can be a gateway into other accounts. If you aren't sure what may be running on the box, try lots and lots of plausible file names.

The one thing that's a bit long to exhaust is the PID values, to explore what's running. It takes 32k requests to exhaust pid_t under Linux by default, and you can check the maximum value in /proc/sys/kernel/pid_max. The command line is in /proc/PID/cmdline; you don't get to see the list of open files (you need readlink for that) but you can see their content (cat /proc/PID/fd/0 …).

For the specific case of a build service, do check the configuration files of that service. That should help you locate the git repository. If you've been able to locate a git checkout, look in .git/index and .git/logs/HEADS and perhaps other files in .git/logs (experiment with that service to see which branches are used and what operations it uses). This should let you retrieve object IDs which you can then read from .git/objects.

Other than finding a locate database, I can't think of a way to elevate read-files access into list-files with a typical configuration.