>a government would want to review the code and compile themselves. Provide a hash of the target binary to ensure they've compiled it correctly.

The government doesn't want to do this. A lot of the time the government doesn't even get the source code in the first place.

>provide auditors with _proof_ that the tested binary is indeed coming from the audited code

This can be done by showing to the auditor how one's CI is setup to build checked in code and sign it.