Can commit messages include volatile information?

Can commit message include information usable only for a limited time?

There is no rule against this and it can be argued that any reference to external information (including ticket number) is usable only for a limited time.

The more important question you need to ask yourself is, will the limited-time information be available long enough for your needs.

You mention referencing a verification build to prove that certain testing has been performed before performing the merge. What are the chances that a year from now you would still try to follow the link to that build, or that you would by then accept the mere presence of the link in the commit message as sufficient proof that the correct process was followed when making that old merge.

I agree with Bart's answer that the link is probably fine and sufficient for your purposes.

If you want to be paranoid about it, though: have the verification build hash the thing it built (e.g. just use the git commit hash of the branch to be merged). Then sign the hash with a private key that only the verification build server has access to. Report the result alongside the verification result. Include the signature as proof of building in the merge commit message. As long as you don't lose the public key, you can verify the signature.

Although I would recommend that you should try building the merged version, not the branch, to be sure there are no silent merge errors.