Add recommendations for immutability in CI/CD

monperrus · web-flow · commit e9f45c414550 · 2025-10-01T10:10:38.000+02:00
Added recommendations for immutable Git tags, releases, and Dockerhub tags.
diff --git a/recommendations-chains.md b/recommendations-chains.md
@@ -28,7 +28,10 @@ CHAINS recommendations are meant to be directly applicable, with state of the ar
   -  Do no use default "Read and write permissions" for token permissions
   -  Tokens should all have expiration dates
 - (pipeline) CHAINS recommends pinning pipelines, CHAINS recommends secrets in branch-restricted environments (instead of repository secrets)
-- (tags & releases) CHAINS recommends having Github tag rulesets to enforce immutable Git tags
+- (immutability)
+  - CHAINS recommends having Github tag rulesets to enforce immutable Git tags
+  - CHAINS recommends using immutable Github releases
+  - CHAINS recommends using immutable Dockerhub tags
  
 ## CHAINS Encourages
 
