From 7436661b9c7f7232cc416720825561b2fb0a6649 Mon Sep 17 00:00:00 2001
From: Natalia <124304+nessita@users.noreply.github.com>
Date: Mon, 25 May 2026 18:30:43 -0300
Subject: Included commit hash in checksum file when building artifacts for
 release.

---
 scripts/do_django_release.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/scripts/do_django_release.py b/scripts/do_django_release.py
index 3d5bbb5210..89292411f0 100755
--- a/scripts/do_django_release.py
+++ b/scripts/do_django_release.py
@@ -32,6 +32,9 @@ assert DEST_FOLDER and os.path.exists(
 checksum_file_text = """This file contains MD5, SHA1, and SHA256 checksums for the
 source-code tarball and wheel files of Django {django_version}, released {release_date}.
 
+It also includes the commit hash of the release tag, identifying the exact
+source revision the artifacts were built from.
+
 To use this file, you will need a working install of PGP or other
 compatible public-key encryption software. You will also need to have
 the Django release manager's public key in your keyring. This key has
@@ -77,6 +80,10 @@ SHA256 checksums
 {sha256_tarball}  {tarball_name}
 {sha256_wheel}  {wheel_name}
 
+Git tag
+=======
+
+{commit_hash}  {django_version}
 """
 
 
@@ -94,6 +101,8 @@ def do_checksum(checksum_algo, release_file):
 # Ensure the working directory is clean.
 subprocess.call(["git", "clean", "-fdx"])
 
+commit_hash = subprocess.check_output(["git", "rev-parse", "HEAD"], text=True).strip()
+
 django_repo_path = os.path.abspath(os.path.curdir)
 dist_path = os.path.join(django_repo_path, "dist")
 
@@ -132,6 +141,7 @@ checksum_file_kwargs = dict(
     checksum_file_name=checksum_file_name,
     wheel_name=wheel_name,
     tarball_name=tarball_name,
+    commit_hash=commit_hash,
 )
 checksums = (
     ("md5", hashlib.md5),
-- 
cgit v1.3