Unstable dependencies

[ash2k]

go_repository has this warning:

CAUTION: Do not use this with services that prepare source archives on demand, such as codeload.github.com. Any minor change in the server software can cause differences in file order, alignment, and compression that break SHA-256 sums.

rules_go uses Github's https://github.com/*/*/archive/*.zip in quite a few places. It's problematic because rarely but it changes how it constructs an archive. See atlassian/bazel-tools#73 for an example.

Perhaps those places should be changed to either use https://github.com/*/*/releases/download/*/*.zip or git_repository (or equivalent features of go_repository).

[ash2k]

I can submit a PR with a fix.

[jayconrod]

This change is pretty recent (about a week or so). In the places where go_rules_dependencies references a generated GitHub archive URL, it also references a file on mirror.bazel.build first. mirror.bazel.build is a GCS bucket with files copied from the GitHub URLs. This makes the SHA-256 stable, since Bazel will try those URLs in order. So if GitHub changes how these archives are built again, it won't break builds. But both URLs are still there so you can check that the contents are the same.

git_repository is what we were using previously. However, it's considerably slower than http_archive and lacks global caching, so I'd rather avoid using it if we can.

I think the warning in go_repository is still relevant, though I'd encourage everyone to use it in module mode rather than HTTP mode.