Add `reup-tag` option to git plugin

[Araxeus]

Specifying reup-tag: true will cause peru reup to update the rev to the latest Tag instead of the latest Commit Hash

This allows 2 things that I can think of:

1. Dependency version readability – instead of some random hash, it's an actual version number you can easily find the source to.
2. Avoid fetching unreleased code – sometimes the main branch isn't stable, and only tags are

fix #233 and https://github.com/buildinspace/peru/issues/193#issuecomment-1433013723

Note

• This is my first time writing any code in Python, so please excuse me if I made some mistake
• Added the install/uninstall to Makefile because I wasted a lot of time figuring out how to test it locally 😅

[oconnor663]

One downside of using tags instead of commit hashes is that tags aren't truly immutable. You need to run git tag --delete if you want to change a tag, which isn't a common thing to do, but I'll admit to doing it occasionally when I screw up one of my releases :) Peru wants to make some modest security guarantees about how peru.yaml uniquely defines a tree of files, and that relies on rev generally pointing to a real commit hash. (Questions about SHA-1 collisions and git commits aside.)

[Araxeus]

I see how it's not truly immutable, but nowadays a lot of repo's have verifiable github actions that automatically build, tag, and release

This feature is optional, you can enable it only for repo's you trust

And also you could just manually input tag versions in your peru.yml then run peru sync to get the same result

Questions about SHA-1 collisions and git commits aside.

What do you mean? Doesn't git just pull the specified rev?

[Araxeus]

Well I got tired of waiting so I coded an alternative to peru

https://github.com/Araxeus/vendorfiles