unable to recreate published binaries from published assets

[wfurt]

Describe the bug

This impacts reproducibility for anybody who wants to re-create published binaries. While not crucial for functionality I think there should be expectation that binaries can be reproduced by independent parties.

https://github.com/microsoft/msquic/releases/tag/v2.1.7

The page offers binaries and source code. The problem is that the sources do not contain submodules that are essential for the build. And there is no easy way to figure it out without messing top with git. Even with .gitmodules there is no commit number and not all submodules are linked to branch or tag. That makes it difficult for anybody who wants to build package from the published assets.

Affected OS

• Windows
• Linux
• macOS
• Other (specify below)

Additional OS information

No response

MsQuic version

main

Steps taken to reproduce bug

attempt to rebuild release binaries from https://github.com/microsoft/msquic/archive/refs/tags/v2.1.7.tar.gz

Expected behavior

It should be possible to recreate release binaries from published assets. In ideal case, we would also publish used submodules. That would make it really easy for package maintainers to consume me.
If not we should publish list of submodules with branches or release hashes.
The expectation is that somebody can automate build after new release is published.
This should not depend on 'git' as many build systems prevent online access during build phase.

Actual outcome

submodules are missing and build fails.

Additional details

No response

[nibanks]

GitHub creates those sources by default. I don't know if there is a way to configure them to grab submodules.