SwiftPM records security fingerprints permanently in your home folder (see ~/.swiftpm/security, although on some platforms it is a symlink to elsewhere). If SwiftPM ever attempts to fetch the same version again but receives different content, it will throw an error (which looks like this). If this per‐user memory is not broad enough, you can persist the security folder across CI runs, sync it across workstations, etc.