Wolfi/Melange has a neat feature to test the "expected commit" when checking out a tag or a branch from a git repository. We could also add a new field to the git source to have an expected-commit and fail if the commit that the branch is pointing to doesn't match (anymore).

Could look like this:

source:
  - git: git://anongit.gentoo.org/proj/pax-utils.git
    tag: v${{package.version}}
    expected-commit: 9ef54b472e42ba2c5479fbd86b8be2275724b064