Using a non-root to deploy a git repo to the web root

Create a new group, and add the git and www-data user into it. Then setup your bare Git repository to always use the group you created as the gid for the repository files. With a new bare repository you do this with git init --shared=group. (Ref) This will permit the www-data account to read the repository.

Update your sudoers to permit the git account to run commands as www-data without a password.

# file: /etc/sudoers.d/gitpush
# permissions should be 0440
# git user is allowed to basically do anything as the www-data user
git ALL=(www-data) NOPASSWD: ALL

Then simply have your post-receive script sudo -u www-data for all the commands needed to perform the check/fixes.