That indeed seems to be the case. Seems that for community providers, HashiCorp is serving up JSON which refers to GitHub download links.

Here’s a sample size of 1: https://registry.terraform.io/v1/providers/spacelift-io/spac...

According to the provider registry protocol, which I have previously implemented for internal hosting (in an afternoon of writing a single file of Python): https://developer.hashicorp.com/terraform/internals/provider...

For their own managed providers they no longer provide binaries in GitHub releases, and serve them from their own servers instead. Which feels like a trap BTW.

I didn't realize that, and extra weird they publish the SHA256SUM file as a release artifact but it references 14 zip files and the manifest.json so, ... thanks?

But, in their defense, installing an "unofficial" provider (or build!) into TF is some JFC so there's that. We'll just add that onto the damn near infinite pile of "I hope OpenTF fixes ..." things