GitRepository "spec.ref.commit" field should take precedence over sibling "spec.ref.tag" field

[seh]

Describe the bug

The documentation for the GitRepository kind's "spec.ref.commit" field claims that it takes precedence over a populated sibling "spec.ref.tag" field, but the two implementations for libgit2 and gogit both use a specified Git tag and ignore a specified Git commit.

To Reproduce

Steps to reproduce the behavior:

1. Create a GitRepository object with both its "spec.ref.tag" and "spec.ref.commit" fields populated, such that each designate a different Git commit in the source repository.
2. Create a Kustomization object that points at the aforementioned GitRepository object.
3. Force Flux to reconcile the Kustomization object.
4. Observe that the source controller fetched the Git repository per the tag, and not the specified commit.

Expected behavior

The source controller should prioritize a designated Git commit over a designated Git tag, per the documentation, or possibly reject the configuration as invalid. I'd prefer to accept populating multiple "spec.ref" fields, with a documented and honored precedence for them, as for some configurations (involving "post-build substitutions") this flexibility—and predictability—turns out to be useful.

Additional context

• Kubernetes version: 1.19.9
• Git provider: gogit (I think)
• Container registry provider: Docker Hub

Below please provide the output of the following commands:

Command output

flux --version

flux version 0.16.1

flux check

► checking prerequisites
✔ kubectl 1.21.3 >=1.18.0-0
✔ Kubernetes 1.19.9 >=1.16.0-0
► checking controllers
✔ helm-controller: deployment ready
► ghcr.io/fluxcd/helm-controller:v0.10.1
✔ kustomize-controller: deployment ready
► ghcr.io/fluxcd/kustomize-controller:v0.12.1
✔ notification-controller: deployment ready
► ghcr.io/fluxcd/notification-controller:v0.14.1
✔ source-controller: deployment ready
► ghcr.io/fluxcd/source-controller:v0.13.0
✔ all checks passed

kubectl --namespace=flux-system get all

NAME                                           READY   STATUS    RESTARTS   AGE
pod/helm-controller-b445c9d6d-kdtsr            1/1     Running   0          27h
pod/kustomize-controller-54fd4575dc-64r52      1/1     Running   0          27h
pod/notification-controller-7bc48f9db4-9jz4z   1/1     Running   0          27h
pod/source-controller-7d67597c95-gnftv         1/1     Running   1          27h

NAME                              TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/notification-controller   ClusterIP   100.65.113.231   <none>        80/TCP    54d
service/source-controller         ClusterIP   100.70.153.192   <none>        80/TCP    54d
service/webhook-receiver          ClusterIP   100.65.156.205   <none>        80/TCP    54d

NAME                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/helm-controller           1/1     1            1           54d
deployment.apps/kustomize-controller      1/1     1            1           54d
deployment.apps/notification-controller   1/1     1            1           54d
deployment.apps/source-controller         1/1     1            1           54d

NAME                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/helm-controller-85bfd4959d           0         0         0       54d
replicaset.apps/helm-controller-b445c9d6d            1         1         1       27h
replicaset.apps/kustomize-controller-54fd4575dc      1         1         1       27h
replicaset.apps/kustomize-controller-5687758989      0         0         0       54d
replicaset.apps/notification-controller-758d759586   0         0         0       54d
replicaset.apps/notification-controller-7bc48f9db4   1         1         1       27h
replicaset.apps/source-controller-7d67597c95         1         1         1       27h
replicaset.apps/source-controller-85cd58f569         0         0         0       54d

For now, I'm not at liberty to share the logs.

This report started as a discussion in the "flux" channel of the "Cloud Native Computing Foundation" Slack workspace.