What Is a Commit SHA?
A commit SHA is the unique hash that identifies a commit, derived from its content so any change produces a completely different identifier.
A commit SHA is Git's fingerprint for a commit. It is a long hash computed from the commit's contents, including its parent, so it uniquely names that exact snapshot of history. SHAs are how Git, and your CI system, refer to commits unambiguously.
How a SHA is derived
Git hashes the commit's contents, its tree, parent, author, and message, into a fixed-length identifier. Because the hash depends on everything in the commit and its ancestry, changing any byte of the past yields an entirely different SHA. This is what makes Git history tamper-evident.
Using a SHA
You can reference a commit by its full or shortened SHA in any command.
git show a1b2c3d4
git checkout a1b2c3d4e5f6
git log --format="%H"Full and short SHAs
The full SHA is long, but Git accepts a short prefix as long as it is unique within the repository. Short SHAs are convenient for humans, while full SHAs are used where absolute precision matters, such as pinning a dependency to an exact commit.
Commit SHAs in CI/CD
CI ties each pipeline run to a specific commit SHA, so a build result always maps to exact code. Pinning third-party actions to a full SHA, rather than a moving tag, is a security best practice: it guarantees you run the exact reviewed code and cannot be silently changed under a familiar tag name.
Working with SHAs
- Reference commits by short SHA when it is unambiguous.
- Use full SHAs where exactness and security matter.
- Pin CI actions to a SHA to prevent silent supply-chain changes.
- Tie deploys and logs to a SHA for traceability.
Key takeaways
- A commit SHA is a content-derived unique identifier for a commit.
- Any change to history produces a completely different SHA.
- Pinning CI actions to a full SHA improves security and reproducibility.