Hash mismatches from Github releases are a rare but recurrent problem.
The issue is that developers sometimes re-publish releases under the exact same version. Since we index based on version, in those cases we keep a stale sha256 hash in our self-signed events.
Github does not expose hashes anywhere in their releases API. I'll see if I can mitigate this with a timestamp check.