|
|
|
|
|
|
by eximius
2375 days ago
|
|
|
It sounds like you should add an abstraction layer that makes the default depending on the SHA. Your product should be secure by default and it clearly is not right now. Likely, you can still do this and migrate people fairly painlessly to a secure version. Edit: even if you select a tag or something, it should use the underlying reference instead of the tag. You can add an escape hatch if you REALLY want to target the tag (there are obviously workflows where that makes sense), but it should be off by default and warm users of the security risks. |
|
|