Can we produce stable download artifacts?

[rwgk]

@rickeylev had this suggestion:

The github /archive/ urls aren't guaranteed to have stable hashes. Github has changed their hashing twice and plans to do it again in the next year or so. It does violate a best practice to ensure remote artifacts aren't being tampered with.

There are probably github docs about how to do this somewhere. What it means is, when creating a "github release", a file of the source is attached to it, much like you'd attach some built library you wanted to make directly download.

In rules_python, we do this automatically using an action:

https://github.com/bazelbuild/rules_python/blob/677fb53a16d65082729be927dafd3a45fafa04c5/.github/workflows/release.yml#L40-L46

The prior "create_archive_and_notes.sh" creates the tar.gz file, and that action-gh-release action uploads the file into the "github release".

If you're doing manual releases, then it means you edit the release, and upload/attach the file to it.

[rwgk]

@henryiii RFC @junyer FYI

[henryiii]

I basically do that (with a single generated file instead of a zip) here: https://github.com/CLIUtils/CLI11/blob/main/.github/workflows/build.yml

[junyer]

Tangentially, I asked SLSA folks for a workflow here so that any project could trivially publish source code archives as release assets with signature and provenance, but it's unclear if/when that would ever actually be implemented. (Obviously, GitHub itself should directly support doing so, but...)