Warn user when using unstable GitHub archive URL

[alexeagle]

In bazel-contrib/SIG-rules-authors#11 we did a bunch of research, including reaching out to GH support.

TL;DR: http_archive should never use archive/v1.2.3.tar.gz urls as the hash cannot be guaranteed to be stable. However refs/tags/v1.2.3.tar.gz URLs are guaranteed.

Bazel should warn users when they give an unstable URL since it's a nasty surprise when the sha256 stops matching upstream suddenly.

[meteorcloudy]

Is archive/$commit.zip guaranteed to be stable? If not, what would be the alternative?

[fmeum]

The only thing that is guaranteed to be stable (and automatically generated) is archive/refs/tags/$tag.{zip,tar.gz}. There is no way to reference archives for individual commits in a way that is known to be safe.

[keith]

I guess if there's a warning for this we may want an opt out because of that case.

[jwnimmer-tri]

For my part, I use urls = [...] plural where one of the candidates is a putatively unstable github url, but where others are my own mirrors of the same, in case GitHub is down or changes the checksum. If the unstable url is one of several choices, I'd like to request that bazel not warn in that case.

[github-actions]

Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 1+ years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team (@bazelbuild/triage) if you think this issue is still relevant or you are interested in getting the issue resolved.