Given a remote repository URL and a SHA hash, is it possible to test whether the hash represents a commit in the repository:
- Without fetching at all?
- If not, with as little fetching (shallow, not all branches) as possible?
A closest answer I think of as a related one states that git fetch
cannot fetch a commit by hash, which is not very promising. ls-remote
also works only with refs. I cannot find any more related commands that look helpful.
Background: a build/packaging tool needs to verify that the build, which contains an SHA hash of a commit, is trackable to source in a particular “golden” repository–not in the legal or cryptographically sound sense of trackable, rather just to prevent the common human error of not sharing the code before pushing binaries into production. Any thoughts on a solution to this problem are appreciated.
Indeed, the local git repository almost certainly exists, and the remote with the given URL very likely exists in it also (or how else the commit could have been pushed into the golden repository?), but I would prefer to avoid, if possible, altering the state of that user's repository with a fetch
.