This PR mostly addresses issues raised in #2119 and changes the way Git dependencies are initialized to make pushing changes from the cloned repository easier. The following workflow will be now possible/easier with Paket:

1. Add a git dependency to paket.dependencies, then run paket update/install to clone and checkout the repo.
2. Checkout master or create a feature branch in the cloned (downstream) repo, i.e. the repo under paket-files directory.
3. Make changes in the cloned repo, run tests and commit the changes.
4. Push the changes from the cloned repo to the origin (upstream) repo, i.e. the repo specified in paket.dependencies.
5. Run paket update to update paket.lock with SHA1 of the changes pushed to the upstream repo.

I understand this PR may be controversial as it develops Paket in a way that may be currently served by Git submodules. However, Paket has some advantages over submodules:

• Paket supports semver tags when resolving Git dependencies
• Paket caches the upstream repository locally which helps build servers and saves space/time when working with multiple projects depending on same Git dependency

The changes helped our company to move away from (very painful) Nuget source packages. Feel free to suggest changes or reject the PR entirely :-). However, if you choose to accept the proposed changes, a migration strategy has to be devised before merging the PR. Otherwise users would be required to clear Paket local temp directory and respective paket-files directories as this is a breaking change.

The following changes were made to the implementation of Git dependencies:

• Cache repository (i.e. the repo under %USERPROFILE%\.paket\git\db) is cloned as a bare mirror

  Bare clone saves disk space as it does not need a working directory. Mirror clone tracks the upstream remote more closely as it always recreates refs.

• Downstream repository is configured with the origin remote pointing to the upstream repository (instead of the cache repository)

  Having the upstream repo configured as the origin makes pushing changes to the upstream more natural. We also want to prevent user from pushing the changes to the cache directly - the cache should be managed by Paket.

• Tracking branch for each downstream repo (b<REPO_PATH_HASH>) is no longer created in the cache repo

  The branch IMO serves no practical purpose now, see next point.

• paket/lock tag is created and checked out in the downstream repository when updateing/restoreing the dependency

  This allows user to see what the original checked out commit was when making changes. By checking out the tag - instead of resetting the downstream repo --hard to the tracking branch - the repo starts in the detached HEAD state which:

  • allows easy experimentation - user can discard her commits simply by checking out the paket/lock tag again
  • forces user to checkout a branch when doing meaningful changes.

• Downstream repository is checked for uncommitted changes before updateing/restoreing the dependency

  This prevents hard-to-track bugs as well as non-repeatable builds that might occur by merging user's uncommitted changes into the new working directory.

• Downstream repository is checked for commits made in the detached HEAD state before updateing/restoreing the dependency

  This makes working in the downstream repository safer as it saves user from having to inspect reflog after "losing" her commits. It also forces the user to move the changes to a permanent branch when making meaningful changes.

No tests were impacted by the changes. However, there are currently few integration tests covering Git dependencies.