Sometimes there's no tar release for some repo in github, and the download as zip button only generates a random zip with random hash. So, in my Dockerfile, I want to clone a repo but be able to check against some hash to prevent tampering.
If I do
git clone https://github.com/repo/repo && git checkout hash
then can I trust that there's no way for the repo owner to replace that specific commit with another version of the code with some malware?
In other words, does a commit hash hashes everything up to that commit, or it's just a hash of the diff of the commit?
