Given that addition of files is done through Git, perhaps the build step that creates the SRI information should also be committed to Git - instead of happening during deployment?

That would provide more confidence, transparency and verifiability for these values.