Just remember the only truly immutable release is one signed by a key the host does not have access to, or one where you pin a hash locally at the point of consumption.
Microsoft does not have strict third party code review policies internally, has been hit with supply chain attacks before, and will be hit again. Consider this a nice to have feature, but give it zero trust.