I am studying using the ‘releases’ feature of github to distribute the zip/tar files generated, but I need to be sure that these files are always going to match a precomputed hash. In other words, that these files are generated only once and not on demand, which could lead to changes due to git/zip/tar patches (see this SO question).
Now, the URL of release-related tarballs suggest that these are indeed generated only once, when the release is created. On the other hand, tarballs for arbitrary commits (the ones you get from the ‘clone or download’ button) are likely to be generated on demand.
I’ve checked the Releases docs without seeing references to this. Anyone knows for sure, or has any further info? Thanks!