1.61.0 release tarball changed?

[Jehops]

FreeBSD package maintainer here. Our package building system does a checksum on the release tarballs and we are now seeing a mismatch. It doesn't look like the release was re-rolled. Do you know anything about the change?

I'm told that these GitHub generated tarballs are not guaranteed to be static, although this is a first for me in years of maintaining dozens of GitHub hosted packages.

fetch: https://codeload.github.com/digitalocean/doctl/tar.gz/v1.61.0?dummy=/digitalocean-doctl-v1.61.0_GH0.tar.gz: size unknown
fetch: https://codeload.github.com/digitalocean/doctl/tar.gz/v1.61.0?dummy=/digitalocean-doctl-v1.61.0_GH0.tar.gz: size of remote file is not known
digitalocean-doctl-v1.61.0_GH0.tar.gz                 5078 kB 5605 kBps    01s
=> Fetched file size mismatch (expected 5200371, actual 5200375)

[andrewsomething]

Hi @Jehops. Thanks for maintaining the FreeBSD package! This does seem odd.

We build and upload the binary tarballs using goreleaser and we include the SHA256 checksums for them as part of the release.. The source tarballs are generated by GitHub automatically. We don't keep a record of what the checksum for those are at release.

What was the original checksum you recorded?

[Jehops]

Hi @andrewsomething. My pleasure.

That the GitHub automatically generated tarballs can change is odd and unfortunate, but described elsewhere.

The original SHA256 was 5334fb1d2c169064d2a7584186bc4b3c48952e8af0a139447e890e204531356e. It's now 571ae4f408a267d9824b56b5ed43604c867be951c09d8fd9b2b0db7cb4635078.

[andrewsomething]

Looks like it should be pretty trivial for us to start including our own source archive as part of the release process:

https://goreleaser.com/customization/source/

That should at least prevent this in the future.