By pointing to your repo and inviting them to make a PR. Because your system is open source, uses reproducible builds, and attestation so users can directly verify the binaries you're running come from the open code they can audit. This is the same reason a three-letter agency approaching Linux and asking for a backdoor won't work.