Last month, several American institutions, including the NSA, published a document on what to do in order to avoid or at least mitigate supply chain attacks in software development, like the SolarWinds compromise:
Securing the Software Supply Chain
The relevant aspects of a secure development environment and process are described systematically and in great detail, which may help to identify any strengths and weaknesses in one’s own environment. So this seems to me to be a valuable resource well worth reading.
Just a warning: While the practices described there are very good and worth to be adopted, the amount of work needed for that will probably be far beyond available resources, but it’s the goal that counts!
I’m calling it especially to the attention of @adw and @marmarek, hoping that it will help with Qubes development, which - as far as I can see - is already using a lot of these techniques.