Unfortunately even if you did not pull code from random groups, and instead curated your GitHub dependencies, you can still be caught by surprise when one person has a re-used password and no 2FA because “ugh it’s so inconvenient”.

Nothing will fully secure the supply chain, but this certainly reduces risk and given the impact software has in today’s world it’s important.