Documentation
Everyday Git: Practical Workflows & Commands
Tagging

Tagging

Tagging: Permanent Markers in Your Commit History

Tags assign permanent, human-readable names to specific commits, marking significant points in your project’s evolution. Unlike branches, which move forward as you commit, tags remain fixed—providing stable reference points for releases, milestones, or important states.

Understanding Tags: Two Types, Different Purposes

Git implements two distinct tag types, each serving different use cases in software development workflows.

Lightweight Tags: Simple Commit Bookmarks

Lightweight tags function as named pointers to commits—nothing more than a label stored in .git/refs/tags/. They contain no additional metadata, making them ideal for temporary markers or personal reference points.

Storage Implementation:

# A lightweight tag is just a file containing a commit SHA
$ cat .git/refs/tags/v1.0-lightweight
4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c6d5

Creating Lightweight Tags:

# Tag current commit
git tag v1.0-beta

# Tag specific commit
git tag quick-reference 8891c37

# List all tags
git tag

Use Cases:

  • Personal bookmarks during development
  • Temporary reference points
  • Internal milestones not shared with team
  • Quick navigation markers

Annotated Tags: Full Release Objects

Annotated tags create complete objects in Git’s object database, storing comprehensive metadata alongside the commit reference. These tags include tagger name, email, timestamp, and a descriptive message—similar to commit objects themselves.

Object Structure:

$ git cat-file -p v1.0
object 3ede4622cc241bcb09683af36360e7413b9ddf6c
type commit
tag v1.0
tagger Jon Loeliger <[email protected]> 1224885135 -0500

Official version 1.0 release

Production-ready build incorporating all features from Q4 roadmap.
Passed full regression test suite. Deployment approved.

Creating Annotated Tags:

# Create annotated tag with message
git tag -a v1.0.0 -m "Release version 1.0.0 - Initial public release"

# Create annotated tag with editor for detailed message
git tag -a v2.0.0
# Opens editor for multi-line message

# Tag specific commit with annotation
git tag -a v1.5.2 -m "Hotfix release" 7847a19

Annotated Tag Advantages:

  • Traceability: Records who tagged, when, and why
  • Cryptographic Signing: Supports GPG signatures for release verification
  • Documentation: Embeds release notes directly in tag object
  • Permanence: Treated as permanent objects by Git’s garbage collection

Use Cases:

  • Official software releases (v1.0.0, v2.3.1)
  • Milestone markers shared with team
  • Regulatory compliance documentation
  • Builds requiring audit trails

Tag Naming Conventions and Semantic Versioning

Standard Release Patterns

Most projects follow semantic versioning (SemVer) for public releases:

# Semantic Versioning: MAJOR.MINOR.PATCH
git tag -a v1.0.0 -m "Initial stable release"
git tag -a v1.0.1 -m "Bugfix: Security vulnerability patch"
git tag -a v1.1.0 -m "New feature: OAuth integration"
git tag -a v2.0.0 -m "Breaking change: API restructure"

Version Number Meaning:

  • MAJOR: Breaking changes requiring client updates
  • MINOR: New features, backward-compatible
  • PATCH: Bug fixes, no new features

Pre-release and Build Metadata 

# Alpha releases
git tag -a v2.0.0-alpha.1 -m "Early preview, unstable API"

# Beta releases
git tag -a v2.0.0-beta.3 -m "Feature complete, testing phase"

# Release candidates
git tag -a v2.0.0-rc.1 -m "Final testing before release"

# Build metadata (informational only)
git tag -a v1.0.0+20241030 -m "Build from October 30 commit"

Framework-Specific Conventions

Different ecosystems adopt distinct tagging patterns:

# Ruby on Rails pattern
git tag -a rel-4.2.0 -m "Rails 4.2.0 release"

# Date-based releases
git tag -a release-2024.10 -m "October 2024 monthly release"

# Custom project schemes
git tag -a milestone-user-auth -m "User authentication complete"

Working with Tags

Tag Discovery and Navigation 

# List all tags
git tag
# Output:
# v1.0.0
# v1.0.1
# v1.1.0
# v2.0.0

# List tags matching pattern
git tag -l "v1.*"
# Output:
# v1.0.0
# v1.0.1
# v1.1.0

# Show tag details (annotated tags only)
git show v1.0.0
# Displays: tagger info, message, and commit details

# View commit referenced by tag
git log -1 v2.0.0

Checking Out Tags

Tags reference specific commits. Checking out a tag creates a detached HEAD state—your repository points directly to a commit rather than a branch tip.

# Check out tagged commit
git checkout v1.0.0
# Warning: You are in 'detached HEAD' state...

# View project state at this tag
ls -la
# Shows files exactly as they existed at v1.0.0

# Create branch from tag for continued work
git checkout -b hotfix-v1.0.1 v1.0.0
# Now on hotfix-v1.0.1 branch, based on v1.0.0 state

Detached HEAD Implications:

  • Can examine files and make test commits
  • Commits made aren’t attached to any branch
  • Must create branch to preserve new commits
  • Ideal for investigating historical states

Sharing Tags with Remote Repositories

Critical Behavior: Unlike branches, git push does NOT transfer tags by default. This prevents accidental publication of internal reference tags.

# Push single tag
git push origin v1.0.0

# Push all tags at once
git push origin --tags

# Push all branches AND all tags
git push --all --follow-tags

# Recommended: Push only annotated tags
git push --follow-tags
# Pushes commits + annotated tags, excludes lightweight tags

Team Workflow Pattern:

# Developer creates release tag
git tag -a v2.1.0 -m "Q4 Feature Release"
git push origin v2.1.0

# Team members fetch tags
git fetch --tags

# Verify tag receipt
git tag -l "v2.1.*"

Deleting Tags 

# Delete local tag
git tag -d v1.0.0-beta

# Delete remote tag (requires explicit deletion)
git push origin --delete v1.0.0-beta

# Alternative remote deletion syntax
git push origin :refs/tags/v1.0.0-beta

Warning: Tag deletion on remote repositories requires force operations. Coordinate with team before removing shared tags.

Tag Immutability and Conflicts

Tags Are Permanent References

Git enforces tag immutability—attempting to create a tag with an existing name fails:

# Create tag
git tag v1.0.0 abc123

# Attempt to reuse tag name
git tag v1.0.0 def456
# fatal: tag 'v1.0.0' already exists

Rationale: Tags mark release points. Allowing tag reuse would invalidate builds, break deployments, and undermine version tracking.

Platform-Level Immutability Enforcement

While Git allows forced tag updates locally, major hosting platforms enforce stricter immutability policies to protect release integrity.

GitHub Tag Protection:

GitHub prevents tag modification by default—once pushed, tags cannot be moved or deleted through normal Git operations:

# Attempt to force-push updated tag
git tag -f v1.0.0 def456
git push origin v1.0.0 --force

# GitHub rejects the push:
# remote: error: denying tag update v1.0.0
# remote: error: refusing to update existing tag 'v1.0.0'

Enforcement Mechanism: GitHub’s server-side hooks reject non-fast-forward updates to tag references, treating tags as immutable once published. This protection applies regardless of repository permissions—even administrators cannot force-update tags through Git commands.

Deletion Restrictions: While tags can be deleted through GitHub’s web interface (with appropriate permissions), this requires:

  1. Repository admin access
  2. Explicit UI-driven deletion (Settings → Tags)
  3. Audit trail generation (logged in repository events)

Platform Comparison:

PlatformTag ImmutabilityOverride Capability
GitHubEnforced by defaultUI deletion only (admin)
GitLabOptional (configurable)Protected tags feature
BitbucketOptional (branch permissions)Configurable per repository
Azure DevOpsOptional (ref security)Policy-based controls

Why Platforms Enforce Immutability:

  1. Release Integrity: Published releases (npm, Docker, releases pages) reference tags. Moving tags breaks these references, potentially substituting malicious code for legitimate releases.

  2. Supply Chain Security: Package managers and CI/CD systems rely on tags for versioning. Immutable tags prevent supply chain attacks where attackers replace release artifacts by force-pushing modified tags.

  3. Compliance Requirements: Regulatory environments (SOC 2, ISO 27001) mandate audit trails for production deployments. Mutable tags would allow untracked changes to released code.

  4. Build Reproducibility: Build systems cache artifacts by tag reference. Tag mutations invalidate caching assumptions, causing incorrect build artifacts to be deployed.

Practical Implications:

# Scenario: Tagged wrong commit for release
git tag -a v1.0.0 abc123 -m "Initial release"
git push origin v1.0.0

# Discovered mistake immediately
git tag -f v1.0.0 def456
git push origin v1.0.0 --force
# ERROR: GitHub rejects update

# Correct approach: Create new version
git tag -a v1.0.1 def456 -m "Corrected release (v1.0.0 was incorrect)"
git push origin v1.0.1

# Document the mistake
git tag -a v1.0.0-deprecated -m "DEPRECATED: Use v1.0.1 instead"

If You Must Move a Tag Locally (non-GitHub workflow):

# Force tag recreation (local repository only)
git tag -f v1.0.0 def456

# Force push (only works with platforms allowing it)
git push origin v1.0.0 --force

# WARNING: This breaks any systems relying on the original tag
# Coordinate with entire team before attempting
# Most hosted platforms will reject this operation

Best Practice: Treat tag creation as irreversible. Verify commit correctness before tagging, and use incremental version numbers (v1.0.1, v1.0.2) to correct mistakes rather than attempting tag updates.

Tag vs. Branch Name Conflicts

Git allows identical tag and branch names (e.g., main tag and main branch). However, ambiguous references trigger warnings:

# Create tag named 'main' (branch 'main' exists)
git tag main

# Ambiguous checkout attempt
git checkout main
# warning: refname 'main' is ambiguous

# Explicit disambiguation
git checkout refs/heads/main  # Branch
git checkout refs/tags/main   # Tag

Best Practice: Never create tags with branch names. Maintain distinct naming schemes to avoid confusion.

Real-World Tagging Workflows

Release Engineering Pattern 

# Feature development complete, create release branch
git checkout -b release-2.0 develop
git push origin release-2.0

# Testing phase: Bug fixes committed to release-2.0

# Release approved, tag final commit
git tag -a v2.0.0 -m "Version 2.0.0 Release

Major features:
- Real-time synchronization
- Enhanced security model
- API v2 with GraphQL support

Tested with 10,000 concurrent users.
Deployment runbook: docs/deployment-v2.0.md"

# Merge to main and push tag
git checkout main
git merge release-2.0
git push origin main
git push origin v2.0.0

# Merge back to develop for future work
git checkout develop
git merge release-2.0

Library Versioning Pattern

Used by frameworks like Ruby on Rails, React, Django:

# Development proceeds on main
# When ready for release:

# Update version files
vim package.json  # Bump version to 4.2.0
git add package.json
git commit -m "Preparing for 4.2.0 release"

# Create annotated tag
git tag -a v4.2.0 -m "Version 4.2.0

Changes since 4.1.0:
- Performance improvements in rendering engine
- New lifecycle hooks for async operations
- Deprecated legacy API methods (removal in v5.0)

Migration guide: docs/upgrading-to-4.2.md"

# Build release package
npm run build

# Publish to package registry
npm publish

# Push code and tags
git push origin main --follow-tags

# Verify tag on remote
git ls-remote --tags origin

Hotfix Workflow with Tags 

# Production issue discovered in v2.1.0
git checkout -b hotfix-2.1.1 v2.1.0

# Implement fix
vim src/security/auth.py
git add src/security/auth.py
git commit -m "fix(security): Resolve authentication bypass

Vulnerability allowed unauthenticated access when session
cookie expired during request processing.

Fixes CVE-2024-12345"

# Tag hotfix release
git tag -a v2.1.1 -m "Hotfix 2.1.1 - Security Patch

CRITICAL: Addresses authentication bypass vulnerability.
Deploy immediately to all production environments.

Fixes CVE-2024-12345"

# Merge to main
git checkout main
git merge hotfix-2.1.1

# Merge to develop
git checkout develop
git merge hotfix-2.1.1

# Push everything
git push origin main develop
git push origin v2.1.1

# Clean up
git branch -d hotfix-2.1.1

Advanced Tag Operations

Cryptographically Signed Tags

For security-critical projects, GPG-signed tags verify release authenticity:

# Create signed tag (requires GPG key configured)
git tag -s v3.0.0 -m "Signed release v3.0.0"
# Prompts for GPG key passphrase

# Verify tag signature
git tag -v v3.0.0
# gpg: Signature made Thu Oct 30 10:15:23 2024 AEDT
# gpg: Good signature from "Release Manager <[email protected]>"

Use Cases:

  • Open-source software distributions
  • Security-focused applications
  • Regulatory compliance requirements
  • Supply chain verification

Filtering Tags by Date 

# Tags created after specific date
git log --tags --simplify-by-decoration --since="2024-01-01" --pretty="format:%ai %d"

# Tags on commits in specific range
git tag --contains v1.0.0 --merged main

# Find commit for specific tag
git rev-list -n 1 v2.0.0

Bulk Tag Operations 

# Export all tags to file
git tag > tags-backup.txt

# Fetch tags without commits
git fetch origin "refs/tags/*:refs/tags/*"

# Delete all local tags matching pattern
git tag -l "v1.*" | xargs git tag -d

# Fetch tags and prune deleted remote tags
git fetch --prune origin "refs/tags/*:refs/tags/*"

Tags vs. Branches: When to Use Each

FeatureTagsBranches
MutabilityImmutable (permanent markers)Mutable (moves with new commits)
PurposeMark specific historical pointsTrack ongoing development
Typical UseReleases, milestonesFeatures, hotfixes, experiments
Auto-pushRequires explicit pushPushes with git push
MetadataCan include message, signatureOnly commit history
Ideal ForVersion numbers, deployment pointsActive development work

Decision Heuristic:

  • Need permanent reference to specific commit? → Tag
  • Need to track evolving work? → Branch
  • Sharing official release? → Annotated tag
  • Personal bookmark? → Lightweight tag

Common Tag Anti-Patterns

Anti-Pattern 1: Using Lightweight Tags for Releases

Problem: Lightweight tags lack documentation, tagger info, and signing capability.

# Bad: No context about release
git tag v1.0.0
git push origin v1.0.0

Solution: Always use annotated tags for releases:

# Good: Full release documentation
git tag -a v1.0.0 -m "Initial public release - October 2024"
git push origin v1.0.0

Anti-Pattern 2: Forgetting to Push Tags

Problem: Local tags invisible to team, breaking deployment pipelines.

# Tagged locally but never pushed
git tag -a v2.0.0 -m "New release"
git push origin main
# Tag still local only!

Solution: Establish push discipline:

git tag -a v2.0.0 -m "New release"
git push origin main --follow-tags
# Or: git push origin v2.0.0

Anti-Pattern 3: Moving Existing Tags

Problem: Breaks builds depending on original tag, undermines version trust.

Solution: Create new tag with incremented version:

# Instead of: git tag -f v1.0.0 <new-commit>
# Use: git tag -a v1.0.1 -m "Updated release" <new-commit>

Summary: Tags as Version Anchors

Tags serve as permanent navigation beacons in your repository’s history. Key principles:

  1. Annotated tags for releases: Include metadata, support signing
  2. Lightweight tags for bookmarks: Personal reference points
  3. Explicit sharing: Tags require manual push operations
  4. Immutable by design: Tags should never move once shared
  5. Semantic versioning: Adopt community standards for clarity

Integration with Workflow: Tags bridge development and operations—marking the exact commit deployed to production, enabling rollbacks to known-good states, and providing audit trails for compliance.

Next Step: Master Undoing Changes to handle mistakes in tagged releases.

Interactive Staging BasicsGit Hooks