Publish stable artifacts with checksums during release

[jakirkham]

Checklist

• I added a descriptive title
• I searched open requests and couldn't find a duplicate

What is the idea?

Currently GH provides autogenerated archives with releases. However these have the downside of having unstable checksums. As a result, when they are used as a source in package builds (like in conda-forge), they may pass at one point in time and later fail due to checksum mismatches

Given this, wonder if we can consider a different option where an artifact is generated and uploaded as part of the release process with a checksum. That way consumers of these artifacts will know the artifacts are static and have a checksum they can count on to verify those artifacts

Why is this needed?

Would improve downstream packaging experience by providing better reliability

What should happen?

Am a little unsure what the current release process looks like. So what should be done will depend a bit on how that release process is run

Do see that we have a Rever file. If that is what we are using, we could specify $GHRELEASE_ASSETS (like in conda-smithy)

If we are not using Rever, maybe we could use a GH Actions step to upload artifacts

There might be other reasonable choices depending on what fits best in our release process

Additional Context

Recently ran into this when releasing 24.5.0 ( conda-forge/conda-build-feedstock#226 ). Though this is not the first time we have seen this issue with GH autogenerated artifacts

Also a similar issue occurred with Conda ( conda/conda#13399 ). Maybe the solution applied there ( conda/conda#13663 ) can be added here

[jakirkham]

cc @kenodegard (for vis)

[kenodegard]

@jakirkham thanks for opening this and linking to the original issue in conda/conda