ci: always create test summaries, even on failure

When the dependent jobs fail -- possibly due to test failures -- we
should still produce the job summary that shows those test failures.

tests: update clar test runner

Abstract time counter for tests; use gettimeofday on Unix and
GetTickCount on Windows.

Update to the latest main version of clar, which includes improved xml
summary output.

src: hide unused hmac() prototype

The builtin hash uses the code verbatim from rfc6234, including
prototypes for functions that we don't use (like hmac). Remove all
unused prototypes to avoid collisions with things that an operating
system might provide (like hmac).

It conflicts with NetBSD's in its libc.

Closes #6457

push: use resolved oid as the source

211c9719 attempts to use the parsed OID
but inverted the arguments to `git_oid_cpy`.

push: revparse refspec source, so you can push things that are not refs

thread: avoid warnings when building without threads

transport: fix capabilities calculation

ci: update version numbers of actions

`git_clone` checks for existence of (non-empty) directories that would clash with what is about to be cloned.

This is problematic when cloning submodules since they make sense in the context of a parent module, so they should not use the current working dir.

Since in `git_submodule_update` we clone the submodule only when it is not yet initialized we do not need to perform directory checks.

Fixes #6433: git_submodule_update fails to update configured but missing submodule

This looks like a typo to me, from what i can see these lines were
added at the same time and because of how capabilities are calculated,
it's likely that this code will work in situations where these
capabilities were the last ones.

If a submodule has been configured but not yet added, do not try to update it.

Issue #6433: git_submodule_update fails to update configured but missing submodule

Verify that trying to update submodule which has been configured but not added does return an error.

Issue #6433: git_submodule_update fails to update configured but missing submodule

`git__noop` takes no arguments, so a simple `#define func(a) git__noop`
will produce warnings about the unused `a`. Introduce `git__noop_args`
to swallow arguments and avoid that warning.

URL parsing for google-compatible URLs

Add support for "safe.directory *"

add 2-clause BSD license to COPYING

http: Update httpclient options when reusing an existing connection.

Signed-off-by: Sven Strickroth <email@cs-ware.de>

Fix leak in git_tag_create_from_buffer

Ignore missing 'safe.directory' config during ownership checks

commit-graph: only verify csum on git_commit_graph_open().

This should resolve some issues with UBSan builds by using unsigned
64-bit integers for all arithmetic until we finally convert to an offset
or size value.

Signed-off-by: Derrick Stolee <derrickstolee@github.com>

The server and client negotiate a single hostkey, but the "best" cipher may not
be the one for which we have an entry in `known_hosts`. This can lead to us not
finding the key in known_hosts even though we should be connecting.

Instead here we look up the hostname with a nonsense key to perform a lookup in
the known hosts and set that. This is roughly what the OpenSSH client does as
well.

We're currently running it as part of the online suite but that doesn't have any
setup for ssh so we won't find the GitHub keys we set up during the test.

It doesn't need the private key setup as we just want to make sure we see some
auth request from the server, but with the addition of hostkey checking we're
now seeing it fail when we skip these tests.

Currently just the one test needs it.

The ssh-rsa makes sure we're asking for the cipher we find in `known_hosts` as
that won't be the one selected by default. This will be relevant in later changes.

It is expensive to compute the sha1 of the entire commit-graph file each
time we open it. Git only does this if it is re-writing the file.

This patch will only verify the checksum when calling the external API
git_commit_graph_open(), which explicitly says it opens and verifies
the commit graph in the documentation.

For internal library calls, we call git_commit_graph_get_file(), which
mmaps the commit-graph file in read-only mode. Therefore it is safe to
skip the validation check there.

Tests were added to check that the validation works in the happy path,
and prevents us from opening the file when validation fails.

(Note from Derrick Stolee: This patch was applied internally at GitHub
after we recognized the performance impact it had during an upgrade of
libgit2. The original author left the company before we remembered to
send it upstream.)

Signed-off-by: Derrick Stolee <derrickstolee@github.com>