This works if builds are reproducible (ie if two people building the same release will get the same bytes out), and that is a good thing to aim for, but in practice at the moment it is surprisingly common for the output to be affected by things like the versions of dependency libs you currently have installed, compiler version, current time, etc. Progress has been made towards reproducible builds in many languages, but that has taken a fair amount of work, so it seems unlikely that it can happen any time soon for everything. I hope we do start seeing reproducible builds in more critical infrastructure so that we can make progress towards this world, and maybe that's the best we can hope for, but it seems unlikely to me that a package like this, with a single maintainer that wasn't particularly motivated to work on it, would do that work.
It's still not a silver bullet though - this attacker already demonstrated an ability to use sock puppet accounts to achieve their goals, so in this case it would likely have only represented a minor inconvenience for them. Of course, multiple minor inconveniences can quickly add up to a significant increase in the effort required to pull off an attack like this, especially doing so undetected, so it would still be valuable.
Ah I see - yes, I agree that would clearly be a good thing. Again not a silver bullet - they did still sneak multiple changes into the repo itself in plain sight to set the groundwork for this attack, and it doesn't address any binary distribution avenues where simply taring a git repo is not sufficient - but clearly a good thing. It sounds like there are good reasons for the current setup, but that is definitely something we should be moving away from.