mwindow: set limit on number of open files

refdb: a set of preliminary refactorings for the reftable backend

To determine whether another reflog entry needs to be written for HEAD
on a reference update, we need to see whether HEAD directly or
indirectly points to the reference we're updating. The resolve logic is
currently completely unbounded except an error occurs, which effectively
means that we'd be spinning forever in case we have a symref loop in the
repository refdb.

Let's fix the issue by using `git_refdb_resolve` instead, which is
always bounded.

The refs code currently has a second implementation that resolves
references in order to find any final symbolic reference pointing to a
nonexistent target branch. As we've just extended `git_refdb_resolve` to
also return such references, let's use that one instead in order to
reduce code duplication.

In some cases, resolving references requires us to also know about the
final symbolic reference that's pointing to a nonexistent branch, e.g.
in an empty repository where the main branch is yet unborn but HEAD
already points to it. Right now, the resolving logic is thus split up
into two, where one is the new refdb implementation and the second one
is an ad-hoc implementation inside "refs.c".

Let's extend `git_refdb_resolve` to also return such final dangling
references pointing to nonexistent branches so we can deduplicate the
resolving logic.

Resolving of symbolic references is currently implemented inside the
"refs" layer. As a result, it's hard to call this function from
low-level parts that only have a refdb available, but no repository, as
the "refs" layer always operates on the repository-level. So let's move
the function into the generic "refdb" implementation to lift this
restriction.

CMake modernization pt2

There's two tests that create a commit signature, but never make any use
of it. Let's remove these to avoid any confusion.

The logic to determine whether a reflog entry should be for the HEAD
reference is non-trivial. Currently, the only user of this is the
filesystem-based refdb, but with the advent of the reftable refdb we're
going to add a second user that's interested in having the same
behaviour.

Let's pull out a new function that checks whether a given reference
should cause a entry to be written to the HEAD reflog as a preparatory
step.

The logic to determine whether a reflog should be written is
non-trivial. Currently, the only user of this is the filesystem-based
refdb, but with the advent of the reftable refdb we're going to add a
second user that's interested in having the same behaviour.

Let's pull out a new function that checks whether a given reference
should cause a reflog to be written as a preparatory step.

In the past, we've imported the CheckPrototypeDefinition into our own
module directory as it wasn't yet available in all supported CMake
versions. Now that we require at least CMake v3.5, we don't need to
bundle it anymore as it's included with the distribution already.

Let's drop the included modules and always use upstream's version.

We set up some compile definitions as part of our src/CMakeLists.txt.
While the definitions are global, we really only need them as part of
the git2internal target which compiles all the objects. Let's thus use
`target_compile_definitions` instead of `add_definitions`.

Modern CMake is usually target-driven in that a target is first defined
and then the likes of `target_sources`, `target_include_directories`
etc. are used to further populate the target. We still use old-style
CMake, where we first set up a set of variables and then populate the
target in a single call.

Let's migrate to modern CMake usage by starting to populate the sources
of our git2internal target piece-by-piece. While this is a small step,
it allows us to convert to target-based build instructions
piece-by-piece.

We currently do not set up a project version within CMake, meaning that
it can't be use by other projects including libgit2 as a sub-project and
also not by other tools like IDEs.

This commit changes this to always set up a project version, but instead
of extracting it from the "version.h" header we now set it up directly.
This is mostly to avoid mis-use of the previous `LIBGIT2_VERSION`
variables, as we should now always use the `libgit2_VERSION` ones that
are set up by CMake if one provides the "VERSION" keyword to the
`project()` call. While this is one more moving target we need to adjust
on releases, this commit also adjusts our release script to verify that
the project version was incremented as expected.

Make the tests run cleanly under UndefinedBehaviorSanitizer

Make the tests pass cleanly with MemorySanitizer

Enable building git2.rc resource script with GCC

Make NTLMClient Memory and UndefinedBehavior Sanitizer-clean

Fix the default LIBGIT2_FILENAME for GNU windres

This change makes the code pass the libgit2 tests cleanly when
MSan/UBSan are enabled. Notably:

* Changes malloc/memset combos into calloc for easier auditing.
* Makes `write_buf` return early if the buffer length is empty to avoid
  arithmetic with NULL pointers (which UBSan does not like).
* Initializes a few arrays that were sometimes being read before being
  written to.

This change:

* Initializes a few variables that were being read before being
  initialized.
* Includes https://github.com/madler/zlib/pull/393. As such,
  it only works reliably with `-DUSE_BUNDLED_ZLIB=ON`.

This change makes the tests run cleanly under
`-fsanitize=undefined,nullability` and comprises of:

* Avoids some arithmetic with NULL pointers (which UBSan does not like).
* Avoids an overflow in a shift, due to an uint8_t being implicitly
  converted to a signed 32-bit signed integer after being shifted by a
  32-bit signed integer.
* Avoids a unaligned read in libgit2.
* Ignores unaligned reads in the SHA1 library, since it only happens on
  Intel processors, where it is _still_ undefined behavior, but the
  semantics are moderately well-understood.

Of notable omission is `-fsanitize=integer`, since there are lots of
warnings in zlib and the SHA1 library which probably don't make sense to
fix and I could not figure out how to silence easily. libgit2 itself
also has ~100s of warnings which are mostly innocuous (e.g. use of enum
constants that only fit on an `uint32_t`, but there is no way to do that
in a simple fashion because the data type chosen for enumerated types is
implementation-defined), and investigating whether there are worrying
warnings would need reducing the noise significantly.

This change moves the humongous static repository with 1025 commits into
the test file, now with a more modest 16 commits.

* Change the default of the file limit to 0 (unlimited).
* Changed the heuristic to close files to be the file that contains the
  least-recently-used window such that the window is the
  most-recently-used in the file, and the file does not have in-use
  windows.
* Parameterized the filelimit test to check for a limit of 1 and 100
  open windows.

Random fixes for diff-printing

There are some cases in which repositories accrue a large number of
packfiles. The existing mwindow limit applies only to the total size of
mmap'd files, not on their number. This leads to a situation in which
having lots of small packfiles could exhaust the allowed number of open
files, particularly on macOS, where the default ulimit is very low
(256).

This change adds a new configuration parameter
(GIT_OPT_SET_MWINDOW_FILE_LIMIT) that sets the maximum number of open
packfiles, with a default of 128. This is low enough so that even macOS
users should not hit it during normal use.

Based on PR #5386, originally written by @josharian.

Fixes: #2758

index: Update the documentation for git_index_add_from_buffer()

We currently don't check for out-of-memory situations on exiting
`format_binary` and, as a result, may return a partially filled buffer.
Fix this by checking the buffer via `git_buf_oom`.

Calling abort(3P) in a library is rather rude and shouldn't happen, as
we effectively prohibit any corrective actions made by the application
linking to it. We thus shouldn't call it at all, but instead use our new
`GIT_ASSERT` macros.

Remove the call to abort(3P) in case a diff delta has an unexpected type
to fix this.

When printing the diff to a `FILE *` handle, we neither check the return
value of fputc(3P) nor the one of fwrite(3P). As a result, we'll
silently return successful even if we didn't print anything at all.
Futhermore, the arguments to fwrite(3P) are reversed: we have one item
of length `content_len`, and not `content_len` items of one byte.

Fix both issues by checking return values as well as reversing the
arguments to fwrite(3P).

Introduce CI with GitHub Actions

Add CI using GitHub Actions and GitHub Packages:

* This moves our Linux build containers into GitHub Packages; we will
  identify the most recent commit that updated the docker descriptions,
  and then look for a docker image in libgit2's GitHub Packages registry
  for a container with the tag corresponding to that description.  If
  there is not one, we will build the container and then push it to
  GitHub Packages.

* We no longer need to manage authentication with our own credentials or
  PAT tokens.  GitHub Actions provides a GITHUB_TOKEN that can publish
  artifacts, packages and commits to our repository within a workflow
  run.

* We will use a matrix to build our various CI steps.  This allows us
  to keep configuration in a single place without multiple YAML files.

Random code cleanups and fixes

examples: log: fix documentation generation

The xenial image depends on ubuntu:xenial; the bionic one on
ubuntu:bionic.  No need for this to be a variable, that's just
additional (unnecessary) state to manage in the CI setup(s).

Azure Pipelines has a version of zlib hanging out on the filesystem;
avoid trying to use it as it's either 64 _or_ 32 bit, so exactly one of
our builds will fail.