Reproducible build - how is the tar.gz file produced?

A follow up to my other question about reproducible builds.

The build depends on the source code download, whose latest version is

Is there an easy way to reproduce that source archive from the main restic repo? Something with git-archive, perhaps? Or is it somehow auto-generated by Github?

Github generates that download automatically when you push a tag. I believe it’s the same as what you would get with git-archive.

git archive -o src.tar.gz 272ccec7
sha256sum src.tar.gz
0fc0288064d1503a71570f1c22ec2ed8570d31eda538078a62f4ac0daf436638 src.tar.gz

However, the sha256sum of the latest release is different
0cf697c88404b180d6d6ff2e7d2c27b2fcb9536da6dbdf15ad4d320af7e8f17c restic-0.8.3.tar.gz

The git-archive has a bunch of flags that might affect the output file, so we might need to know what flags Github uses to generate the archive. Unfortunately, I couldn’t figure that out after a bit of searching.

It turns out the answer was already available in the documentation.

By analogy:

git archive --format=tar --prefix=restic-0.8.3/ v0.8.3 | gzip -n > restic-0.8.3.tar.gz

And indeed the sha256sum checks out:
sha256sum restic-0.8.3.tar.gz
0cf697c88404b180d6d6ff2e7d2c27b2fcb9536da6dbdf15ad4d320af7e8f17c restic-0.8.3.tar.gz

So that completely answers this question.