Hash of a github release changes because of versioneer

[MarkWieczorek]

Problem:

I created a github release, which makes use of versioneer to generate a version number. I downloaded the tar.gz archive and computed the hash (which is required by third-party package managers, like macports and homebrew-core). A few days later, however, I was notified that the hash of the released archive file changed.

Inspecting the original and subsequent tar.gz files, I found that the tar.gz archive did indeed change, and the cause of this change is git_refnames in the file _version.py generated by versioneer.

diff -r SHTOOLS-4.7.1 SHTOOLS2-4.7.1
diff -r SHTOOLS-4.7.1/pyshtools/_version.py SHTOOLS2-4.7.1/pyshtools/_version.py
26c26
<     git_refnames = " (HEAD -> master, tag: v4.7.1)"
---
>     git_refnames = " (HEAD -> master, tag: v4.7.1, develop)"

The only thing that makes sense is that Github recreated the project tar.gz file a few days later, and that for some reason, the git tag was modified somehow. Though I don't know why github would recreate this file, I also question whether git_refnames is required by versioneer. and _version.py.

Additional context:
The release of our project, along with the release tag "v4.7.1" was created using the Github release page. I then pulled the tags to my local repository using git pull --tags. We work on a parallel develop branch, and have since pushed new commits to the develop branch on Github.

Examples of other people having the same problem:

• attic/_version.py from github releases change over time jborg/attic#335
• Unstable MD5 Due to Git Archive + Versioneer spack/spack#7937
• https://trac.macports.org/ticket/41657#comment:2
• shtools: new port macports/macports-ports#8518

Solution
I don' know the solution, nor if there is one. I have opened an issue at GiHub support to find out why the tar.gz file was recreated after the release: This seems very dangerous to me, but perhaps there is a reason this was done.

If there is not a solution, then at a minimum, versioneer should provide a warning in the documentation as to how to avoid this problem. It is not 100% clear what I could have done differently to avoid this.

[ryandesign]

The only thing that makes sense is that Github recreated the project tar.gz file a few days later, and that for some reason, the git tag was modified somehow. Though I don't know why github would recreate this file,

GitHub generates the tarballs on-demand whenever they're requested. GitHub might cache them for a short time, I don't know, but they're definitely not kept forever. If you want to distribute files that are guaranteed never to change unless you change them, upload those files to the GitHub release.

[MarkWieczorek]

But I did download the files from the GitHub release page...

[ryandesign]

Yes, but those are not release downloads. There is a distinction between automatically generated tarballs, which those are, and the manually-uploaded release files which would appear on lines after before those two.

[ryandesign]

Consider https://github.com/macports/macports-base/releases/tag/v2.6.3 where you can see the many files manually uploaded to the release in addition to the two "Source code" links at the end which are automatically generated on demand.

[MarkWieczorek]

For info, I got a response from github, and they confirm that each time you download a tarball archive, that it is regenerated. Because of this, the code in versioneer

git_refnames = "$Format:%d$"

Is updated with each download which can give rise to seemingly trivial problems where branches are added or removed from the tagged commit like

git_refnames = " (HEAD -> master, tag: v4.7.1)"

git_refnames = " (HEAD -> master, tag: v4.7.1, develop)"

As far as I can tell, versioneer only cares about the "tag: vX.X" part in git_refnames, so it would be great if there was a way to write only info without the branch names. I looked quickly through the git archive documentation, but it doesn't look like there is a format specifier that does this. Is there a different way to write only the tag name to the _versioneer.py` file?

[effigies]

No, unfortunately this is just how git archive works, providing all refnames for the commit.

It looks like you're setting up a process to basically snapshot the initial archive. If you'd like to avoid the possibility of changes, you can also modify your process to never push a branch head and tag together. e.g.,

git tag -a vX.Y.Z
# Make some small change or commit with --allow-empty
git commit -m 'post-tag bump'
git push origin master

Another option is to use an uploaded sdist as your source distribution, rather than a git archive. You could fetch it from PyPI or add it to your GitHub release. Those do only have tag and commit information in them, and are not subject to the variability inherent to git archive.

[MarkWieczorek]

Thanks. I'll probably just try to use github actions to upload a tarball archive to the release. If you know of a github action that does this, let me know (I haven't been able to find one that does this out of the box).

[grembo]

@MarkWieczorek @effigies Maybe this is helpful to you (using git 2.32+): isamert/scli#151 (comment)

Not sure if it helps in your case though (I don't know enough about versioneer, how it creates _version.py and which consequences changing it would have).

[effigies]

That's awesome! Any chance of duplicating your test repository on Gitlab? That's the main other public source. And we should see what the failure case looks like from a manual git archive, as I'm sure that's in somebody's process.

[grembo]

@effigies I tried on gitlab, seems to work as well: https://gitlab.com/grembo/gitformattest/-/tags

Failures I've seen:

• git too old: No substitution happens at all (so it's <hash> %(describe...)
• nothing to describe (no annotated tags): Replaced by blank (so its <hash> )

[effigies]

I see you saw %(descibe:tags=true) in dev, and we'll see how long that takes to hit GitHub/GitLab. Unfortunately without lightweight tag support, I think this will end up less reliable than the current approach.

In the short term, a possibility would be to add a configuration option to switch to %(describe) instead of %d, which would avoid breaking existing setups that do use lightweight tags.