EPIC: Ensure test material is pinned to a specific tag and SHAs tracked

[smlambert]

There are several different repositories where we pull test material whose SHAs are not tracked in the TAP file, these include:

• Track perf benchmarks - https://github.com/adoptium/aqa-tests/issues/5851
• Track external test applications track external test sha #5825
• Track functional test material from rh-openjdk repos #5769 - https://github.com/adoptium/aqa-tests/issues/5851

This refers mainly to material pulled in via ant scripts (build.xml files). Any of the test material included in the testenv.properties file gets written to the TAP files.

In addition to tracking test material, we should also check that any dependencies introduced are also tracked / verified against a checksum to ensure it is transparent and clear what is being put onto test machines.

Dependencies (any software that is pulled onto the machine during the test run) include:

• prereqs that the Ansible playbooks install / or are defined in Dockerfiles

• dependencies pulled in via getDependency jobs

• Check for any scripts in test material used as part of the AQAvit targets that pull in dependencies opaquely.
  These are scripts outside of the mechanisms listed above (i.e. Ansible playbooks, getDependency list), without verification for a checksum, and especially if they are from unofficial or personal branches. We should discourage the use of such scripts as it introduces a level of insecurity that we want to move away from.

[smlambert]

Likely related:

• Create a common function for git clone test related repos #5288
• Add test.properties for all tests being pulled from external repositories #5151