GitHub Tried to Change the Checksum for Release Archives. You Should Start Hosting Your Own.
Insulate your CI/CD pipeline from checksum and immutability issues by using a binary package manager like Artifactory.
Yesterday, GitHub changed how the archives they provided are made. The result of this change surprised developers, triggering pipeline failures all over the world in most ecosystems. According to this GitHub post, this is a consequence of recent changes to Git itself, released almost six months ago and just deployed within GitHub now with unforeseen impact. This change has thankfully been retracted.
Why did this change to GitHub archives break your pipeline?
It’s standard practice for developer and CI tools to verify the content you download off the internet. Most often this is just saving the known checksum ahead of time and then comparing it with each subsequent download to make sure it has not changed. Imagine someone replaced the source code or tool with something malicious, you want to know before you open it.
By changing the default compression used to make the source archives, the checksum for those archived packages also changed. So when verifying the checksum of the file you just attempted to download from GitHub, it no longer matches the known checksum, throwing an error and breaking your pipelines.
How can I prevent checksum changes from disrupting my pipelines?
Thankfully GitHub was quick to revert the change, but by the time it was reverted most folks probably lost a day of productivity (or ended up spending the day figuring out what was going on and then writing a blog about it).
So, how do you prevent disruptions to your pipelines in the future? Short answer – use Artifactory.
You can very easily proxy GitHub tarballs, and even entire branches, through VCS Repositories which provide the usual proxy and caching functionality of Remote Repositories.
To test this out myself, I followed the setup to create a new repository with default settings. I used the “Set Me Up” wizard to copy the provided commands and I was up and running again.
Now I have a copy of these releases in my Cloud instance of the JFrog Platform. Testing one of my own projects by force pushing a tag to a different commit, I still received the original checksum!
Protect yourself from upstream outages or changes, host your own copies of critical components.
It’s very likely that GitHub will take another shot at updating their compression for archives sometime soon. Hopefully it will be less disruptive, but why take the chance?
Proxy GitHub with Artifactory now to avoid future problems with malicious code or being blocked from building in your project. It’s also something you can do today for free. Just sign up for your free Cloud instance of JFrog to get started.