Well, those are the same thing. Also that’s not a tag, that’s the commit hash. It’s just that pinning to a specific commit means if you re-run the build later it won’t pull in changes you didn’t expect. Removing the commit hash will default to the latest tagged release instead.
Yep 
that’s part of the changes, proper first-party “real IP” handling.