Specify versions by commit hash not version tag

Checking out a version tag allows upstream attacks where the repo can be modified to contain malicious code and update the tags. We will checkout the version tag containing the malicious code and build a vulnerably Docker image.

Specifying the commit hash acts as a checksum, so if the upstream repo is modified, we won't checkout the new malicious code.