Looking at https://pantsbuild.github.io/setup/pants I notice there are a number of redirects. Nothing strange about it, however, I’m a bit concerned that the first hop is for a HTTP location (which in turn simply 301:s to the HTTPS counterpart) but that means we have one insecure request in the middle of what otherwise seems like a secured communication. Not a biggie, but feels unnecessary.

Hmm, we don't control that redirect chain, but it's odd that GitHub is doing that.

Odd indeed. Feels like a misconfiguration on their part then..