git: Reject pushes into internal ref namespaces

Gitaly repositories host several internal ref namespaces which are used by several different parts of our application stack. These include ref namespaces for merge requests, pipelines and environments. Given that all of these represent internal state and are thus managed by GitLab, the expectation is that they shouldn't be modified by users. As it turns out, we do not have any restrictions in place though when the user performs a push: they can simply overwrite these references with their own commits.

Fix the issue by hiding those refs for git-receive-pack(1). The effect is twofold: first, these references aren't announced in the initial ref advertisement. Second, git will deny all pushes into these namespaces.

While the second property is what we're after, the first one is handy for us, too. For almost all repositories, the number of these special refs outweighs the number of normal refs by quite a bit. As an example, the initial ref advertisement of gitlab-org/gitlab results in 125,000 refs to be advertised. Of these refs, 115,000 are environments, pipelines and merge requests, and only about 10,000 are real references. Advertising this many refs makes the packfile negotiation much slower.

So by hiding these refs from the initial ref advertisement, not only do we properly protect these internal refs, but we should also see a speedup of that initial ref advertisement and thus the packfile negotiation. Win-win.