Use stable tarball links in build process

[inkydragon]

tldr:

• Upload and publish a release tarball, then use the URL.
• The automatically generated archives (.tar.gz, .zip) are unstable.

If you rely on stable archives for security (ensuring you don’t accidentally trigger a tarbomb, for example), we recommend you switch to release assets instead of using source downloads. On the Releases page, these are the assets which were uploaded to GitHub and appear with their file size.
Files can be added to a release manually in the web or with something like this (third-party) GitHub Action. You can later use the Release Assets REST API to retrieve them. If relying on release assets isn’t possible, we urge you to consider designs that can accommodate (infrequent) future hash changes.

—— https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/

xref:

• [Sources] Ban GitHub-generated archives as sources JuliaPackaging/BinaryBuilderBase.jl#293
• Checksum mismatches on .tar.gz files - orgs/community
• Should rulesets distribute a pre-built artifact rather than rely on GitHub source/release archive bazel-contrib/SIG-rules-authors#11 (comment)

---

todo:

• deps\blastrampoline.mk
• deps\libgit2.mk
• deps\libssh2.mk
• deps\libuv.mk
• deps\libwhich.mk
• deps\llvm.mk
• deps\openblas.mk
• deps\openlibm.mk
• deps\utf8proc.mk
• deps\zlib.mk