If you have a large client population, you could try something where you pick e.g. ten clients at random to build-and-upload the same artifact, and if they all come up with exactly the same artifact, and collusion between them is sufficiently implausible, you could decide to trust it.

Apple also has something for iOS called "App Attestation", where you could publish an app to do the building, and then if your server receives an upload from a successfully-signed app instance, you would know that the app code itself was not modified: https://developer.apple.com/documentation/devicecheck/establ...

This is all assuming you can't just do the build yourself to verify what they did. (If you could, why would you need them to upload it?)