Check git commit hashes when downloading source repos
To hinder supply chain attacks, record the expected git commit hashes for the source repos in the version file alongside the tag names, and check the commit hashes when checking out the tags.
To hinder supply chain attacks, record the expected git commit hashes for the source repos in the version file alongside the tag names, and check the commit hashes when checking out the tags.