Whereas branches are very obviously intended for a "latest" pull without any further verification, it's important to note about git tags:
They can be edited.
This of course will not guarantee reproducible builds, for whatever reason they would be idealized.
However, for malicious purposes: If you tag something "v1.2.3" and then have it built and released with some backdoor, it's easy to cover up the tracks by force-pushing and overwriting the tag.
Therefore, as I understand it, git commit hashes are the safer alternative. They cannot be changed - they can be deleted of course, but not changed.
Whereas branches are very obviously intended for a "latest" pull without any further verification, it's important to note about git tags:
They can be edited.
This of course will not guarantee reproducible builds, for whatever reason they would be idealized.
However, for malicious purposes: If you tag something "v1.2.3" and then have it built and released with some backdoor, it's easy to cover up the tracks by force-pushing and overwriting the tag.
Therefore, as I understand it, git commit hashes are the safer alternative. They cannot be changed - they can be deleted of course, but not changed.