Closed johngun3 closed 1 year ago
This is a widespread issue due to a change by GitHub. A lot of other Bazel repos are getting hit too. Follow here for updates:
FYI this is getting reverted upstream, so your builds should come back to green soon ✅
This might happen again in the future as Github does not guarantee that tarballs under a release archive (urls like archive/refs/tags/$tag) won't change.
The recommended way is to generate the tarball as a part of the release manually/via CI, as per: https://github.com/orgs/community/discussions/22979#discussioncomment-3238584 "So if you need to be absolutely certain that a release artifact won’t change, uploading a release artifact is the way to go, whether it’s a duplication in the common case or not."
I can't see GitHub making this change again without a long deprecation period, due to the level of backlash they've seen in the last 24 hours. It'll likely happen accidentally again in the future, but will again be rolled back.
For context of why they cannot realistically ever make this change: for this repo alone I could not publish a static release tar with pinned hashes until every one of our dependencies (of which there are many) have first published a static release tar that I can take the hash of, for which they first have to wait for their dependencies to publish their static release tar, etc etc etc. This process would probably take months and would only take a single core dependency being sluggish to deadlock the entire ecosystem. During this time everyone's builds would be broken, again for maybe months.
When I was considering my next steps yesterday on the chance that it was not not rolled back: the above was becoming a mountain of work (mostly waiting though) just for this repo, so the change would have represented an absurd amount of various maintainers' time just in updating hashes. This is what made the change completely untenable.
However, I agree that publishing a static release tar is prudent now and I shall be looking to add that for upcoming releases but I likely won't be rolling this back into all the old releases.
I've pulled the only local action out of this thread into #251; closing this as the checksums are 'stable' again now
Description
I think is probably just a github system issue I wanted to report it here for visibility: the sha256 of the 1.0.1 tag archive package changed within the last 24 hours.
This url
https://github.com/rules-proto-grpc/rules_proto_grpc/archive/refs/tags/1.0.1.tar.gz
used to point to a package whose sha256 checksum was497225bb586e8f587e139c55b0f015e93bdddfd81902985ce24623528dbe31ab
but it is now5fb7f353f181b1b3bb764c7b7f020c1f44400206aafdc9a50ec040f9c8c32a54
. This broke some of our bazel builds since the old checksum was explicitly specified as part of ahttp_archive
rule.