chore(deps): update git2 requirement from 0.20.4 to 0.21.0 in the cargo-dependencies group

[dependabot]

Description

Dependabot bump of git2 0.20.4 → 0.21.0. The 0.21 release contains
breaking changes that broke the build, so this PR also carries the code
migration needed to compile against the new API. No behavioural change to
this crate — the credential relay and tree-streaming logic are functionally
identical to before.

1. Build migration

Upstream breaking changes addressed:

1. default Cargo features became empty (0.20 was default = ["ssh", "https"],
   0.21 is default = []). Cargo.toml now requests features = ["https", "ssh"]
   explicitly — the exact set 0.20.4 enabled by default — which transitively
   enables the new cred feature that now gates Cred::credential_helper
   (used in src/git2_ops/auth.rs).
2. String accessors now return Result<&str, Error> instead of Option<&str>
   (UTF-8 validation). TreeEntry::name() callbacks in streaming/tar.rs (×2)
   and git2_ops/submodule.rs (×1) changed from let Some(name) = … to
   let Ok(name) = …, preserving the skip-on-non-UTF-8 behaviour; one
   Commit::message() assertion in a push.rs test changed from Some(..)
   to Ok(..).
3. Oid::zero() deprecated → replaced with the Oid::ZERO_SHA1 constant in
   three submodule.rs tests (would otherwise fail under -D warnings).

2. Coverage follow-up

Two of the migrated let Ok(name) lines live in submodule walk callbacks
(find_submodule_entries and the private write_submodules_to_tar) that were
only exercised by the Python integration tests. The PR coverage job
(ci_pr.yml) is unit-tests-only, so Codecov patch coverage initially flagged
those two changed lines as uncovered (71.43% < 80% gate). Added three unit
tests that close the gap with no network:

• find_submodule_entries_detects_gitlink_in_tree and
  find_submodule_entries_gitlink_missing_from_gitmodules_is_skipped — build a
  tree containing a real gitlink (mode 160000) entry and assert it is / isn't
  returned.
• write_submodules_to_tar_writes_submodule_files — drives
  write_submodules_to_tar against a locally-created bare repo via a new
  test-only FetchResult::from_parts_for_test constructor.

Verified locally with cargo llvm-cov that both previously-missed lines are
now unit-covered. Full suite: 597 unit tests + integration.

Related Issue

N/A — automated dependency update.

Type of Change

• Refactoring (no functional changes) — dependency bump + API migration; this crate's behaviour is unchanged
• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• CI/CD changes
• Security improvement

Security Checklist ⚠️

Since this is a credential-handling project:

• No credentials, tokens, or secrets are included in code, comments, or tests
• No credentials appear in log messages or error messages
• No credentials are exposed in MCP responses
• Credentials are scoped to their operation, not cached or persisted (see src/git2_ops/auth.rs) — the feature-flag change re-enables the same credential_helper path; no caching introduced
• Error messages don't leak sensitive information

Testing

• I have tested these changes locally
• I have added tests that prove my fix/feature works — three unit tests covering the migrated submodule walk callbacks
• New and existing tests pass (cargo test)

Code Quality

• Code compiles without warnings (cargo build)
• Clippy passes (cargo clippy --all-targets --all-features -- -D warnings)
• Code is formatted (cargo fmt --all --check)
• Markdown is lint-clean (markdownlint-cli2 "**/*.md")
• Toolchain pin is consistent (bash .github/scripts/check-toolchain-pin.sh)
• Documentation is updated if needed
• CHANGELOG.md is updated for user-facing changes

Additional Notes

This branch has been pushed to manually, so Dependabot will no longer auto-rebase
or resolve conflicts on it (commenting @dependabot recreate would overwrite the
migration commits). The upstream git2 0.21 changelog highlights are preserved below.

Upstream git2 0.21.0 changelog (key breaking changes)

From git2's changelog:

• ❗ The ssh, https, and cred Cargo features are no longer enabled by default
  (was default = ["ssh", "https"]; now default = []). #1168
• ❗ CredentialHelper and the url dependency are now gated behind the new cred
  feature; enabling ssh or https transitively enables cred. #1168
• ❗ Updated to the 2021 edition. #1173
• ❗ Many string accessors that returned Option<&str> now return Result<&str, Error>
  or Result<Option<&str>, Error>. #1241
• Bumped requirement to libgit2-sys 0.18.4 (libgit2 1.9.3).

Full diff: git2-0.20.4...git2-0.21.0

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!