Checklist

• I added a descriptive title
• I searched open requests and couldn't find a duplicate

What is the idea?

Currently GH provides autogenerated archives with releases. However these have the downside of having unstable checksums. As a result, when they are used as a source in package builds (like in conda-forge), they may pass at one point in time and later fail due to checksum mismatches

Given this, wonder if we can consider a different option where an artifact is generated and uploaded as part of the release process with a checksum. That way consumers of these artifacts will know the artifacts are static and have a checksum they can count on to verify those artifacts

Why is this needed?

Would improve downstream packaging experience by providing better reliability

What should happen?

Am a little unsure what the current release process looks like. So what should be done will depend a bit on how that release process is run

Do see that we have a Rever file. If that is what we are using, we could specify $GHRELEASE_ASSETS (like in conda-smithy)

If we are not using Rever, maybe we could use a GH Actions step to upload artifacts

There might be other reasonable choices depending on what fits best in our release process

Additional Context

Recently ran into this when releasing 23.11.0 ( conda-forge/conda-feedstock#228 (comment) ). Though this is not the first time we have seen this issue with GH autogenerated artifacts