If we're talking about source code and have some concerns, then do not specify the direct link to download source code. For example, you can just grant "read" access to my personal GitHub account. This way you can be sure that only I have access to it.
From my opinion, this one is better idea regarding source code share.
But this is not the solution when we are talking about viruses, malwares or vulnerabilities
. Vendors can easily show you one thing and deliver another, if they have bad intention.