Refer to upstream sources via release artifacts rather than generated archives

[markusboehme]

GitHub recently disturbed several projects' build processes by accidentally changing the way archives are generated. The change retained all archive contents, but the structural change led to hash sum checks breaking. More on this can be found in this article on LWN. GitHub responded by promising some advance notice for future changes affecting archive hashes.

Since Bottlerocket refers to third-party packages via https://github.com/${org}/$[repo}/archive/... URLs it would have been similarly affected by this. Consider referring to third-party package sources via static release artifact files instead of archives that are generated on demand.

[vyaghras]

Following are the packages where we get the tar file from github generated archives: packages/aws-iam-authenticator/Cargo.toml packages/aws-signing-helper/Cargo.toml packages/cni-plugins/Cargo.toml packages/cni/Cargo.toml packages/containerd/Cargo.toml packages/docker-cli/Cargo.toml packages/docker-engine/Cargo.toml packages/docker-init/Cargo.toml packages/docker-proxy/Cargo.toml packages/ecr-credential-provider/Cargo.toml packages/ecs-agent/Cargo.toml packages/hotdog/Cargo.toml packages/iputils/Cargo.toml packages/libaudit/Cargo.toml packages/libnl/Cargo.toml packages/libnvidia-container/Cargo.toml packages/log4j2-hotpatch/Cargo.toml packages/makedumpfile/Cargo.toml packages/nvidia-container-toolkit/Cargo.toml packages/nvidia-k8s-device-plugin/Cargo.toml packages/oci-add-hooks/Cargo.toml packages/procps/Cargo.toml packages/systemd/Cargo.toml packages/wicked/Cargo.toml

[vyaghras]

Will update packages/makedumpfile/Cargo.toml and packages/libnl/Cargo.toml to use static resources once updated version will be available.