You'll find this often – lots of SoHo routers comply with GPL2 by tossing a tarball of the software they run on a crusty FTP site somewhere. Download it and pop it open and you'll often find README.txt and a .tar.bz2 of Linux 2.6 whose SHA matches what you'll find on kernel.org... because they didn't actually modify any GPL2 code.
Compliance doesn't mean they don't have to make it easy for you ;)
You are already using Github. Someone tells you you need to publish exactly the source code that your company's deploying. The repo containing that code is not on Github. The easiest way to get ahold of that code, with any certainty that it's exactly what's actually running, but nothing else, is to grab the archive that's sent to the production servers for deployment.
Here you are with a hammer, and a screw. You just need to get this done so you can go back to doing the dozen other things you'd hoped to get done this week. You could find some file hosting somewhere. You could unzip the file. You could do a lot of things. But here's this hammer, and here's this screw. You already have the hammer. It's free. You don't even need to walk across the room to get it, you're already holding it.
What’s hilarious about that? Seems like a pretty simple way to do it. Especially for a file that isn’t going to be downloaded enough to require a real CDN.
It's just funny because they're removing it from a source code repo, packaging it up into a zip, and adding it to another source code repo. If they didn't mind including the change history they could've just published the code as-is as a clone. If they did want to strip the change history they could've published it as a shallow clone or an artifact. But instead they chose to push a ZIP file into a repo with a single branch. I guess at least they'll have a history of their ZIP files.
They do have it. They used to publish it. Then someone found a vulnerability in a commit of theirs (6e42e3b1eca73c306db1580719a3a1bfb715f6d8 if you're interested in looking it up in a mirror), exploited it, and took all data Gab ever had.
This current approach is just a deliberate obfuscation in an attempt for it not to repeat. By just providing a zip you can't really look at their changes on top of Mastodon with git log, you have to put in slightly more effort.