Instead of displaying the exact sha1 of deployment, use the last common ancestor with the remote we're tracking. This is what we do in git.info() for MediaWiki already so reuse that data in scap3.
While we're here, clean up the logic for the failure case when we're not tracking an upstream. This has never worked, as "origin" is not a valid reference to anything, it's just a remote. For get_disclosable_head() to have any chance at finding an ancestor, we need an upstream branch or tag so accept one now.
git.info() is generally more robust to failure now.