git: Don't advertise internal references via git-upload-pack(1)

Gitaly knows two different types of internal references: once those that are read-only and thus hidden from git-receive-pack(1), and then those that should only be used internally and which are thus neither readable nor writeable. We already handle the former type of internal references by setting up receive.hideRefs, but we don't handle the latter type.

Fix this by setting up hidden reference for git-upload-pack(1). This causes us to not advertise references with a prefix of refs/tmp or refs/keep-around when fetching from repositories.

Note that because we set transport.hideRefs=!refs/ in our gitaly-ssh executable, this change does not impact internal fetches. This is expected and required to keep e.g. ReplicateRepository() working correctly.

Changelog: fixed

Fixes #4358 (closed).

Supersedes !4725 (closed).