How an AWS release rollback triggered the same red flags as a supply chain attack and why treating every semantic version tag change as suspicious is key to protecting your CI/CD pipelines