Immutable releases are releases where the assets and associated Git tag cannot be changed after publication. The use of this type of release increases security by blocking supply chain attacks.
Attackers cannot:
- Inject vulnerabilities or malware into current project releases.
- Make changes to assets and tags that may break developer workflows.
The releases tags and artefacts can be also cryptographically verified.
So what happens when the files/code is attached to the immutable? Like a virus library bundled up forever in a release?
If the releases can NEVER be deleted, then wouldn’t it be even worse for admins? Or am I missing something?
You can delete a release. But you can’t change the associated tag and the attached artefacts.
Can you not create another release by the same name?
The release tags cannot be changed or removed from the commit they were applied to. You cannot reuse a tag.
Immutable releases include protection against repository resurrection attacks. Even if you delete a repository and create a new one with the same name, you cannot reuse tags that were associated with immutable releases in the original repository.Tags are locked to a specific commit. So you won’t be able to create a different release with the same tag. Even deleting the repo and creating a new one won’t allow you to reuse the same tag, unless you change the repo name.
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases