rules_sass icon indicating copy to clipboard operation
rules_sass copied to clipboard

Published 20 hours ago verified publisher icon bazelbuild

Include source code as asset in releases to avoid issues with GitHub compression algorithm changes

Open kjlubick opened this issue 2 years ago • 0 comments

The rules_sass docs say to create an http_archive using a GitHub source archive URL like https://github.com/bazelbuild/rules_sass/archive/1.26.3.zip.

However, as was observed in a large outage on Jan 31, 2023, the compression algorithm used by GitHub can change, breaking sha256 validation.

The recommendation seems to be to include the source zip/tar.gz files in the release itself as an asset (like protobufs does). GitHub promises not to change those bytes since they are user-provided.

I notice there hasn't been an official GitHub release of rules_sass in a while. Doing so more regularly is a prerequisite to addressing this issue.

Then, the docs should show a URL like: https://github.com/bazelbuild/buildtools/releases/download/1.26.3/source-1.26.3.tar.gz depending on what file name for the source code asset is.

kjlubick avatar Feb 01 '23 14:02 kjlubick