Thinking about this more: maybe there would be some benefit to GitHub taking control of "release" repositories that may only be written to be GA. They'd write everything -- maybe as a docker image -- so anyone could pull down the image and compare shas, or whatever. And maybe this could also be done by their competitors. The ultimate goal would be to have multiple trusted parties performing the build on the same code producing the same output, and allowing any randos to do the same.

If the source is included in those images, we could conceivably prove that the target was based on the source.

It's not nice and easy, true.