Auto merge of #12731 - Byron:gitoxide-upgrade, r=weihanglo

upgrade gitoxide to v0.54

This reduces the binary size and fixes an exploitable bug that could allow
code execution by injection arguments into hostnames of ssh URLs.

##### Binary Sizes (Release)

* `master`: 27930520
* this branch: 27869304 - a whopping 61216B less. I assume this will get worse again once more functionality will be used in future PRs.

##### Possible Vulnerability

In versions prior to v0.54, running the following would cause the calculator app to be started on MacOS:

```
❯ gix clone 'ssh://-oProxyCommand=open$IFS-aCalculator/foo'
```

Now it prints `Error: Host name '-oProxyCommand=open-aCalculator' could be mistaken for a command-line argument`.

Given the nature of builds with `cargo` and the availability of build scripts, I think `cargo` isn't prone to this issue. However, I thought it was good to upgrade anyway.

Please note that a CVE doesn't exist yet, but I will check with Rustsec on how to proceed with this.
CC `@Shnatsel`

### Tasks

* [x] fix tests - the bug was introduced in GitoxideLabs/gitoxide@74ce863 and it leads the local symref  `refs/remotes/origin/HEAD` to point to a non-existing branch.
    - This is a feature, but one with the shortcoming that it's allowed to point to a none-existing ref, and that ref is not automatically created, yet,  and it's not covered by a refspec. Previously it would just let the symbolic ref point to the peeled object that is known.