Where possible, we want to get our information from the most secure place possible, and make every effort to avoid any step of the process that could be interfered with by a bad actor.
The changes we're making here are as follows:
Grab all information from the github context rather than env vars where possible, since env vars can easily be changed
Fix up some error reporting around our git checkout checks - this should provide more context if we fail checking the currently checked out sha matches the github ref tag's associated checkout.
Where possible, we want to get our information from the most secure place possible, and make every effort to avoid any step of the process that could be interfered with by a bad actor.
The changes we're making here are as follows: