The bare minimum for running security critical services is multi-party verified deterministic builds running on remotely attestable enclaves.
My teammates and I at Distrust have been helping teams architect and build this way for 5+ years now.
It was tough watching people repeatedly struggle to do everything from zero.
So we built the first 100% FOSS general purpose verifiable compute platform: Caution.
For prioritized early access join #caution-platform:matrix.org