I am following the strategy for enforcing resource tagging (https://www.pulumi.com/blog/automatically-enforcing-aws-resource-tagging-policies/) and one of those tags is the git commit hash. When a resource is updated I want the tag to be updated to the current commit hash but I don’t want a new commit to cause a change to the tag of every resource. Is this possible? I want something like a transformer that only applies when there is some other change.

what you're doing is quite unusual, what is the the real benefit of putting git commit hashes in resource tags?

It’s not that unusual. We do it for binary artifacts all the time. We used to do the same back in the days of Puppet deployments. It is for tracing back from a resource to the code that created it.