Yes you can tamper the executables if it’s you on your pc compiling the code and upload it to the release page…
BUT if you use ci/cd pipelines, you can almost be sure it’s not a human who is in charge of compiling. It’s a robot who automatically clones the repo, launch the build and upload the artifact to release. It’s much more transparent this way