My workflow was to look at the site with a web browser (with working up to date TLS), and note the hash of the final commit of master. This can be done on a different machine.
Then one clones the repo from the non https capable machine, and verifies the hash for the tip of master. Rinse and repeat for any other branches of interest, especially if only performing a limited clone.
Except git uses sha1 for those. Additionally unless you verify the ENTIRE hash not just 6 characters, it's trivial to brute force specific hashes into git.
I myself have committed with a hash of 0000000 into a git repository twice, meaning it is easy to confuse those two commits.
An attacker would merely have to brute force the tip of their attacker repository, a matter which you can do within the hour on a stock standard PC.
My example was using cut'n'paste, then cmp, so the full 40 char hash. I don't try comparing those things manually.
As I said trivial to prove valid; and since I was actually reading, using, and compiling the code, quite difficult to achieve a collision in the circumstances.
Then just fake the first and last characters, not much of an additional challenge, few people compare all characters, they compare the first and last few. I bet that would have even caught you unaware in some moments.
Brute Forcing a commit hash requires no gibberish binary files with random names, the data can be inserted into the commit metadata in ways that won't even show up in your git log. Forcing the entire commit hash is hard but by default everyone only checks the first 6 digits anyway.
Now the sadly amusing aspect of all this is that I only noticed the https issue in the first place, because I'd previously cloned some repos on the machine using it.
Then some time later when doing a fetch, I received a TLS nego rejection complaint. Github had turned off support or earlier versions TLS, and the machine in question did not implement the later version. (I believe this was on an old macOS version).
So as a workaround, I altered the refspec in the git config file to switch to using the raw git protocol.
i.e. their earlier 'improve security' measure drove me to switch to the 'improved' unencrypted git protocol.
My workflow was to look at the site with a web browser (with working up to date TLS), and note the hash of the final commit of master. This can be done on a different machine.
Then one clones the repo from the non https capable machine, and verifies the hash for the tip of master. Rinse and repeat for any other branches of interest, especially if only performing a limited clone.