I understand in Angular for example that when building the project you can add a Subresource integrity (SRI) tags automatically using this command:
ng build --subresource-integrity
My question is how do I know when running that command that the hash that was created was not sourced from a malicious CDN?
I feel like it becomes a chicken and egg problem as I might never know?
SRI protects the integrity of loaded resources in a page. It can protect against a compromised store of such resources, but only as long as the page itself is not in that compromised store. The page that loads the resources is special in the sense that it has the opportunity to check SRI, almost like the source of those resources was untrusted, but you need to be able to serve the page from a trusted source.
Note that this has benefits beyond detecting a malicious CDN. What SRI provides is assurance that the resource loaded is the same as what you were intending to load when the page was created. A lot of things might happen to resources in something like a CI pipeline before being deployed somewhere, they will be stored on intermediate servers during builds, copied to CDNs and so on, SRI ensures the integrity throughout all these all the way to the client browser. But again, only as long as the page that includes those resources is not compromised.
In other words, if the page is stored in the same CDN together with the resources, SRI will not protect against compromise of the CDN - how could it, when you are trusting it to serve all of your content. But it might still protect against compromise of your pipeline in which these files make their way to the CDN.
Edit: I might have misunderstood the question.
NPM packages are signed with PGP, so getting dependencies is secure as long as you only have trusted keys.