tests: update clar test runner

Abstract time counter for tests; use gettimeofday on Unix and
GetTickCount on Windows.

Update to the latest main version of clar, which includes improved xml
summary output.

src: hide unused hmac() prototype

The builtin hash uses the code verbatim from rfc6234, including
prototypes for functions that we don't use (like hmac). Remove all
unused prototypes to avoid collisions with things that an operating
system might provide (like hmac).

It conflicts with NetBSD's in its libc.

Closes #6457

push: use resolved oid as the source

211c9719 attempts to use the parsed OID
but inverted the arguments to `git_oid_cpy`.

push: revparse refspec source, so you can push things that are not refs

thread: avoid warnings when building without threads

transport: fix capabilities calculation

ci: update version numbers of actions

Fixes #6433: git_submodule_update fails to update configured but missing submodule

This looks like a typo to me, from what i can see these lines were
added at the same time and because of how capabilities are calculated,
it's likely that this code will work in situations where these
capabilities were the last ones.

If a submodule has been configured but not yet added, do not try to update it.

Issue #6433: git_submodule_update fails to update configured but missing submodule

Verify that trying to update submodule which has been configured but not added does return an error.

Issue #6433: git_submodule_update fails to update configured but missing submodule

`git__noop` takes no arguments, so a simple `#define func(a) git__noop`
will produce warnings about the unused `a`. Introduce `git__noop_args`
to swallow arguments and avoid that warning.

URL parsing for google-compatible URLs

Add support for "safe.directory *"

add 2-clause BSD license to COPYING

http: Update httpclient options when reusing an existing connection.

Signed-off-by: Sven Strickroth <email@cs-ware.de>

Fix leak in git_tag_create_from_buffer

Ignore missing 'safe.directory' config during ownership checks

commit-graph: only verify csum on git_commit_graph_open().

This should resolve some issues with UBSan builds by using unsigned
64-bit integers for all arithmetic until we finally convert to an offset
or size value.

Signed-off-by: Derrick Stolee <derrickstolee@github.com>

The server and client negotiate a single hostkey, but the "best" cipher may not
be the one for which we have an entry in `known_hosts`. This can lead to us not
finding the key in known_hosts even though we should be connecting.

Instead here we look up the hostname with a nonsense key to perform a lookup in
the known hosts and set that. This is roughly what the OpenSSH client does as
well.

We're currently running it as part of the online suite but that doesn't have any
setup for ssh so we won't find the GitHub keys we set up during the test.

It doesn't need the private key setup as we just want to make sure we see some
auth request from the server, but with the addition of hostkey checking we're
now seeing it fail when we skip these tests.

Currently just the one test needs it.

The ssh-rsa makes sure we're asking for the cipher we find in `known_hosts` as
that won't be the one selected by default. This will be relevant in later changes.

It is expensive to compute the sha1 of the entire commit-graph file each
time we open it. Git only does this if it is re-writing the file.

This patch will only verify the checksum when calling the external API
git_commit_graph_open(), which explicitly says it opens and verifies
the commit graph in the documentation.

For internal library calls, we call git_commit_graph_get_file(), which
mmaps the commit-graph file in read-only mode. Therefore it is safe to
skip the validation check there.

Tests were added to check that the validation works in the happy path,
and prevents us from opening the file when validation fails.

(Note from Derrick Stolee: This patch was applied internally at GitHub
after we recognized the performance impact it had during an upgrade of
libgit2. The original author left the company before we remembered to
send it upstream.)

Signed-off-by: Derrick Stolee <derrickstolee@github.com>

If the tag already exists and we are not forcing overwrite we need to free ref_name buffer before return the "tag already exists" error.

It turns out this has been available in libssh2 for a long time and we should
have been verifying this the whole time.

Httpclient internally stores a copy of the certificate_check callback and
payload. When connecting via HTTPS, and if the server sends back
"Connection: close" after the first request, the following request would
attempt to re-use the httpclient and call the (now outdated) callback. In
particular for pygit2 this is a problem, since callbacks / payloads are only
valid for the duration of a libgit2 call, leading to a ffi.from_handle()
error and crashing the Python interpreter.

The path to the default CLI output has changed, update it.