* Check that a git dependency resolves to a revision

A git dependency should be resolved to a full git revision (SHA-1).
When dealing with a git dependency, this is the only way to lock
the dependency in-place (because revisions are immutable).

* Check that a pinned git dependency resolves to a revision

There are three mutually exclusive parameters that can be used to
pin a git dependency: `branch`, `tag`, and `rev`.  Since they all
can be moving targets, they should be resolved to a full git
revision (SHA-1) to ensure a proper in-place lock.

This change highlights bug #1331 and currently fails.

* Make sure a git reference resolves to a revision

Do not lock a git dependency to a named reference but to a full
git revision instead.  This ensures reproducibility and security
as git revisions are immutable.

Fixes: #1331