dhhdjbd I mean, if the app is build on insecure systems, it can be compromised which at then end means i would basically get maleware..
True.
dhhdjbd And for one i am wondering, if anyone ever heard about this happening, so if this is something users should be concerend about at all.
Yes, if you are concerned about the security of F-Droid's build infrastructure, you should definitely be concerned about this. It is more common that individual developers have their builds compromised, than that an app repository have their build system compromised.
dhhdjbd And secondly i am wondering, if i get my apps from github/github for example, can i see if the release is just an upload of the developer or if it was build by some github/gitlab build pipeline? (which i assume is more secure)
Don't know.
dhhdjbd i often heard that one reason fdroid should be avoided is because of their insecure build infrastructure , and i am unsure if the build systems of random other developers are secure basically.
I use F-Droid exactly because then I know it is F-Droid that has built the packages, and not some random developer. I would say, if you trust the app developer to have a secure build infrastructure, which you usually can for security and privacy focused apps, then it might be better to put the trust in the developer. But F-Droid would still be very concerned about malicious code getting injected into APKs they build and distribute, so although there is much to comment about their lack of best security practices, it is not as horrible as many are making it seem. Definitely better to trust than a random APK from github which probably was built on the developers own computer, which might be compromised or improperly protect the signing keys.
dhhdjbd And lastly, how are google play apps build?
By the developer, usually. And then Google Play injects some additional code in the builds and resigns the APKs with Google owned signing keys. It varies a little bit for each app, but this is probably the most common case.