Do you trust the developers? Okay.
Do you trust the developers, their infrastructure, AND the supply chain? Maybe a bitter pill to swallow.
Recommended reading: https://defuse.ca/triangle-of-secure-code-delivery.htm