All packages with git source always checkout and rebuild

I do not think a same git version packed by xz with different arch and xz version , will got the same HASH value.

Yes, you are quite correct. PKG_HASH_MIRROR is NOT stable across "builder" distributions. We had massive headaches with openwrt-19.07+ and some internal packages now that it has been made mandatory.

If we run the build (and thus the git-clone + repack into a tarball) under Ubuntu 18 LTS, we get a different hash than when we do so in our Debian 10 docker builder.

I have not looked in depth for the reasons, but evidently there are non-deterministic steps involved in the tarball generation (e.g. not using reproducible-builds-compliant gzip, tar/pax, and stabilizing all timezone and locale-related changes).

The openwrt buildbots did not yet get their major OS version updated, and are all based on exactly the same operating system, so this hindrance/bug is not being triggered in the official repositories and CI/CD pipeline. Yet. Hopefully Debian 9 -> Debian 10 doesn't trigger it, but if it does, it will be painful.