Immutable Tags / Releases #664

tim-hanssen · 2026-03-20T22:34:16Z

tim-hanssen
Mar 20, 2026

Recent incidents like with Trivy scanner yesterday showed that retagging versions can create security risks.

A version like v1.2.3 should always point to the same commit.

Proposal:

Enable tag protection for all releases
Disallow force-push and deletion of version tags

Why:

Prevents supply chain risks
Ensures reproducible builds

jaydrogers · 2026-03-20T22:59:09Z

jaydrogers
Mar 20, 2026
Maintainer

I like this idea. Would be open to more discussion if others want to chime in

0 replies

tim-hanssen · 2026-05-01T17:28:29Z

tim-hanssen
May 1, 2026
Author

If there is no reason not to, it would be nice to enable it.

0 replies

jaydrogers · 2026-05-14T22:15:03Z

jaydrogers
May 14, 2026
Maintainer

Sorry for the delay. I was slammed with projects.

So long story short, I'm dumb and forgot that I already do this. I think I used to update the latest tag (like back in 2.x) but I don't do that anymore.

I enabled tag rules and I want to further harden our process.

I also spent some time documenting how this all works here: https://serversideup.net/open-source/docker-php/docs/getting-started/upgrade-guide

Let me know if this all looks good to you. I appreciate your ideas to help improve our security!

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Immutable Tags / Releases #664

Uh oh!

{{title}}

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Immutable Tags / Releases #664

Uh oh!

tim-hanssen Mar 20, 2026

Replies: 3 comments

Uh oh!

jaydrogers Mar 20, 2026 Maintainer

Uh oh!

tim-hanssen May 1, 2026 Author

Uh oh!

jaydrogers May 14, 2026 Maintainer

tim-hanssen
Mar 20, 2026

jaydrogers
Mar 20, 2026
Maintainer

tim-hanssen
May 1, 2026
Author

jaydrogers
May 14, 2026
Maintainer