Yeah it isn't straightforward and you put trust in the community sort of thing. I've forked a previous version of one of the repos that has a GitHub workflow to build it automatically and have gone through that to make sure it's clean. I can make suggestions as to a repo to use but mine is private since they get DMCA notices I believe.
If you go back in the commit history far enough you can find when the actions workflow files were deleted. I used that (and other repos found via search) to set up the auto builds on mine.
