We use almost exactly the same stuff, but we have update profile to trigger submodule update pre-compilation because otherwise update is triggered even when the app is compiled as a dependency.
That would work perfectly if you could anchor a submodule to a specific tag… Otherwise you need to have tag-like branches, which I’d like to avoid
This would automatically check out the specified tag in .gitmodules for each submodule and you could just commit the change to link it to the specific ref and leave out the submodule update pre-hook