The reason it did not work was because the SSH_AUTH_SOCK variable used to store the filename of the SSH agent’s Unix domain socket was not in the environment when running commands via sudo.
By default, the env_reset option is enabled in the sudo security policy and many GNU/Linux distributions make this explicit by shipping with the following line in their /etc/sudoers configuration file:
Defaults env_reset
This ensures that commands are run in a minimal environment with most of the invoking user’s environment variables removed in the restricted environment.
Specific variables can be white-listed so that they are preserved in the environment. For safety, I use the visudo command to edit the sudoers configuration file. Also, rather than modifying /etc/sudoers directly, I add custom modifications to a separate file in the /etc/sudoers.d/ directory. To do this, I run sudo visudo -f /etc/sudoers.d/custom so that the configuration contains the following line:
Defaults env_keep += "SSH_AUTH_SOCK"
Now, running sudo ssh-add -l shows that I can connect to the authentication agent and I can go ahead and update the remote repository:
sudo git push --set-upstream origin master