updateref: Safeguard against accidentally committing updates

With git v2.28.0, git-update-ref has grown a set of verbs which allow users to explicitly control transactional behaviour. With these verbs, it's possible to change the default behaviour of committing when stdin closes to aborting when stdin closes, such that one needs an explicit "commit" instruction to persist changes on disk.

This commit changes our updater to use those new verbs to enable this explicit behaviour. In theory, this shouldn't make any difference at all as the command's standard input only gets closed upon calling Wait(), while context cancellation should also cancel the process and abort the reference transaction. In practice, this is defense in depth against any unwanted side effects of having git-update-ref running which we inadvertently fail to correct kill off and which may as a result persist changes which we didn't intend to persist.