git sanity: enforce "git checkout commithash" actually pulls commit

If there is a collision between a branch name and a commit hash, git will choose the branch, even if the full 40-hex-long commit hash is given. GitHub disallows branches/tags with such a name but git itself does not. By adding the `^{commit}` syntax sugar after a ref name, we can tell git that we want the commit hash to be preferred, and hence we don't need to trust GitHub (only git). see https://security.stackexchange.com/questions/225411/
2020-06-15 20:01:22 +02:00
parent 661ecb2cf5
commit f5f3394552
4 changed files with 8 additions and 8 deletions
--- a/contrib/android/Dockerfile
+++ b/contrib/android/Dockerfile
@@ -154,7 +154,7 @@ RUN cd /opt \
    && cd buildozer \
    && git remote add sombernight https://github.com/SomberNight/buildozer \
    && git fetch --all \
-    && git checkout d0323c165dd5d9aa23d5eb01044474fe006c3420 \
+    && git checkout "d0323c165dd5d9aa23d5eb01044474fe006c3420^{commit}" \
    && python3 -m pip install --user -e .

 # install python-for-android
@@ -163,7 +163,7 @@ RUN cd /opt \
    && cd python-for-android \
    && git remote add sombernight https://github.com/SomberNight/python-for-android \
    && git fetch --all \
-    && git checkout cef08b92268fe69ef331699c2205cbb091e730f0 \
+    && git checkout "cef08b92268fe69ef331699c2205cbb091e730f0^{commit}" \
    && python3 -m pip install --user -e .

 # build env vars