So there are two things here:
1) Audit that the package you want - is the package on Server.
2) verify/validate that it was installed correctly (Vs the object being on server) --- I assume you are mostly focused on proving the package on Server is the package you want (if it doesn't run --- that's not really an audit issue --- that's a management issue).
the short is --- you need to build or buy a CI/CD solution here and maybe add SHA checksum steps? I think your skipping steps here --- you should be focusing on how to you mange prod deploys of workflows --- and I'd look at some JIRA/GH Repo/GH Actions/S3/Lambda combo there --- and as part of that system you add the checksum validation.
Without that you are basically saying 1) retrieve .yxzp as blob via server api. 2) compare checksum SHA with retrieved file vs designated 'original file'.
