I guess that is because you're not using %{version} in Source0:
http://pkgs.stg.fedoraproject.org/cgit/audacious.git/tree/audacious.spec#n18

Using %version would make it too inconvenient to build snapshots and pre-releases.

Hm.. I'm not sure there's a reasonable way for us to handle the case of your spec file.

FWIW, you can keep %{version} in the source url and still handle pre-releases like this:
http://pkgs.fedoraproject.org/cgit/task.git/tree/task.spec

Hm. As a feature for the-new-hotness, we could check that the tarball downloaded by 'fedpkg sources' and the tarball downloaded by 'spectool' after bumping the version are not the same tarball.

• We can't necessarily trust that they will have the same md5sum, since github tarballs are generated on-demand, and therefore have different timestamps.

Yes, trying to "upgrade" the "sources" file cleanly would be a great idea. I'm sure other packages are affected, too.

Obviously, working around the issue is what I'll do in this package. Now that it affects a service like this. I'm aware of various things one can do with macros/conditionals. And as of Audacious 3.6 the needed tarball appends "-gtk3" to version, which cannot be copied verbatim for RPM %version anyway.

We can't necessarily trust that they will have the same md5sum, since github tarballs are generated on-demand, and therefore have different timestamps.

In response, @nirik says "I guess you could unpack it and diff -Nur".

This sounds like a good plan to me.

I've been trying to reproduce the original problem we had with github, I downloaded the sources via two places (tags and commit), here is the output:

   wget https://github.com/fedora-infra/the-new-hotness/archive/0.3.3.tar.gz * 3     
$ sha256sum 0.3.3.tar.gz*                                                  
e02a21a3685f7019e7bd92964665d2f95338e3be306f99c54757239511fd62ab  0.3.3.tar.gz
e02a21a3685f7019e7bd92964665d2f95338e3be306f99c54757239511fd62ab  0.3.3.tar.gz.1
e02a21a3685f7019e7bd92964665d2f95338e3be306f99c54757239511fd62ab  0.3.3.tar.gz.2

  wget https://github.com/fedora-infra/the-new-hotness/archive4f10baed700eee823ff5c0d971fed0b04674f30f.zip * 3
$ sha256sum 4f10baed700eee823ff5c0d971fed0b04674f30f.zip*
467c0af71750c561ff62faeec60a2ba7bf1e477457da17cf8b8d9e7e9034e92a  4f10baed700eee823ff5c0d971fed0b04674f30f.zip
467c0af71750c561ff62faeec60a2ba7bf1e477457da17cf8b8d9e7e9034e92a  4f10baed700eee823ff5c0d971fed0b04674f30f.zip.1
467c0af71750c561ff62faeec60a2ba7bf1e477457da17cf8b8d9e7e9034e92a  4f10baed700eee823ff5c0d971fed0b04674f30f.zip.2

So looks like we're good for these two links