Google storage bucket md5hash changes on every run of Terraform apply in GitHub actions

[robbins]

Describe the bug
When running terraform apply using a GitHub actions workflow with google_image_nixos_custom as shown in the example config:

resource "random_id" "bucket" {
  byte_length = 8
}

# create a bucket to upload the image into
resource "google_storage_bucket" "nixos-images" {
  name     = "nixos-images-${random_id.bucket.hex}"
  location = "US"
}

# create a custom nixos base image the deployer can SSH into
#
# this could also include much more configuration and be used to feed the
# auto-scaler with system images
module "nixos_image_custom" {
  source      = "github.com/tweag/terraform-nixos/google_image_nixos_custom"
  bucket_name = google_storage_bucket.nixos-images.name
  nixos_config = "${path.module}/image_nixos_custom.nix"
}

Terraform detects that the md5hash of the google_storage_bucket_object has changed, even when I haven't made any changes to the repo. This is the output:

Terraform will perform the following actions:

  # module.nixos_image_custom.google_storage_bucket_object.nixos must be replaced
+/- resource "google_storage_bucket_object" "nixos" ***
      ~ crc32c           = "hptang==" -> (known after apply)
      ~ detect_md5hash   = "okiQS+ha88pmBeqKlPAG1Q==" -> "different hash" # forces replacement
      - event_based_hold = false -> null
      ~ id               = "nixos-images-2a682647b7c[45](https://github.com/robbins/infra-2/actions/runs/3876298638/jobs/6609960756#step:6:46)337-images/m8ky02n1ik2gfyf7wsmjv0saiczb4r54-nixos-image-23.05pre-git-x86_64-linux.raw.tar.gz" -> (known after apply)
      + kms_key_name     = (known after apply)
      ~ md5hash          = "okiQS+ha88pmBeqKlPAG1Q==" -> (known after apply)
      ~ media_link       = "https://storage.googleapis.com/download/storage/v1/b/nixos-images-2a6826[47](https://github.com/robbins/infra-2/actions/runs/3876298638/jobs/6609960756#step:6:48)b7c45337/o/images%2Fm8ky02n1ik2gfyf7wsmjv0saiczb4r54-nixos-image-23.05pre-git-x86_64-linux.raw.tar.gz?generation=1673285901733547&alt=media" -> (known after apply)
      - metadata         = *** -> null
        name             = "images/m8ky02n1ik2gfyf7wsmjv0saiczb4r54-nixos-image-23.05pre-git-x86_64-linux.raw.tar.gz"
      ~ output_name      = "images/m8ky02n1ik2gfyf7wsmjv0saiczb4r54-nixos-image-23.05pre-git-x86_64-linux.raw.tar.gz" -> (known after apply)
      ~ self_link        = "https://www.googleapis.com/storage/v1/b/nixos-images-2a682647b7c45337/o/images%2Fm8ky02n1ik2gfyf7wsmjv0saiczb4r54-nixos-image-23.05pre-git-x86_64-linux.raw.tar.gz" -> (known after apply)
      ~ storage_class    = "STANDARD" -> (known after apply)
      - temporary_hold   = false -> null
        # (3 unchanged attributes hidden)
    ***

Plan: 1 to add, 0 to change, 1 to destroy.
module.nixos_image_custom.google_storage_bucket_object.nixos: Creating...
module.nixos_image_custom.google_storage_bucket_object.nixos: Still creating... [10s elapsed]
module.nixos_image_custom.google_storage_bucket_object.nixos: Creation complete after 12s [id=nixos-images-2a682647b7c45337-images/m8ky02n1ik2gfyf7wsmjv0saiczb4r54-nixos-image-23.05pre-git-x86_64-linux.raw.tar.gz]
module.nixos_image_custom.google_storage_bucket_object.nixos (deposed object 320[48](https://github.com/robbins/infra-2/actions/runs/3876298638/jobs/6609960756#step:6:49)425): Destroying... [id=nixos-images-2a682647b7c4[53](https://github.com/robbins/infra-2/actions/runs/3876298638/jobs/6609960756#step:6:54)37-images/m8ky02n1ik2gfyf7wsmjv0saiczb4r[54](https://github.com/robbins/infra-2/actions/runs/3876298638/jobs/6609960756#step:6:55)-nixos-image-23.05pre-git-x86_[64](https://github.com/robbins/infra-2/actions/runs/3876298638/jobs/6609960756#step:6:65)-linux.raw.tar.gz]
module.nixos_image_custom.google_storage_bucket_object.nixos: Destruction complete after 0s

Apply complete! Resources: 1 added, 0 changed, 1 destroyed.
::debug::Terraform exited with code 0.

The image stored in the bucket isn't modified, so I'm not sure why the bucket hash is changing.

To Reproduce
Steps to reproduce the behavior.
Use the above config for main.tf and use GitHub actions to run terraform apply -auto-approve -input=false

Expected behavior
A clear and concise description of what you expected to happen.
Terraform should detect that nothing has changed and not make any changes.

Environment

• OS name + version: Runner is on ubuntu-latest with Terraform 1.3.6
• Version of the code: Latest commit

Additional context
When running terraform apply on my local machine, the md5 hash does not change, and terraform correctly detects that no changes are needed.