Git – Which artifact should I deploy to prod when using Git Flow

I don't quite understand how you suddenly got to version B 1.1.0.003, however I can't help but feel you are making this much more complicated than it needs to be. You said yourself that all of your projects get released at one time, and that is likely because of the spider web of dependencies that projects seem to have with one another. A single change for a hotfix in Project A sounds like it can have a downstream effect where Project B likely needs to update its version dependency on Project A to the new hotfix version, causing Project B to have a new hotfix version, and etc...

Develop Branch

The way to think about the develop branch of any one project is for ongoing development towards the next major or minor version of that software component. Only after this has been thoroughly tested and ready for final QA testing will you ever need to commit to a new release number.

Release Branch

When you have committed to a new Release number, and everything is good to go, you increment your major or minor version numbers and update your dependencies. Its finally official, these components are going into production. You can always rebase your dev branch later and now your dev branch has the latest version number in production, and the latest bug fixes that were resolved in the Release branch.

Hotfix Branch

Basically same as release except you change the update or patch number in your software component versions.

Nuget Build Numbers to the Rescue

Official version numbers should ONLY be incremented or changed for stable "complete" code. All other code is considered in development so when managing changes in dependencies currently under development you should use tools in Nuget to reference dependencies on versions + build numbers. Build numbers are inherently temporary and can be lobbed off before you merge Release back into Master. I understand there are other tools that do this even better like Paket.

Firstly, you can't tag branches, you can only tag commits.

You should tag the commit you actually release. That's the point of version-tagging commits. If you have an issue with your software in some environment (production or otherwise) you can say with confidence that the issue was introduced by the commit that that release was derived from.

(This is why people talk about 'reproducible builds': so they can be confident that their release process isn't introducing new bugs that weren't present in their preview/staging environment, and that if they have a bug in production the same binary is running on their machine when they go to debug it.)

There's no point tagging the second green commit from the bottom (the green child of the commit marked 'Only bugfixes!') as 'v1.0' because you didn't release that commit to production. You released the commit on master. You can even see that git flow has marked that as 'Tag 1.0'.

Remember, tags have a purpose: to easily find commits. You tag a commit as 'v1.0' so that you can easily find the thing that you released as version 1.0. You don't tag it for the sake of having a 'v1.0' tag somewhere in your commit tree vaguely near the commit you actually released.

If you have issues finding the tags from your development branch that's an entirely separate issue. Fix the tool you use to find tags. Or better yet: don't use git-flow. It looks nice in that diagram because of the lovely coloured dots and nicely laid out lines, but in reality it looks like an insane messy web of coloured lines and dots.