Nowadays it's less of an issue with docker and whatnot.
Just set the image to refresh every night at midnight and if they tried to make manual changes it'll just revert back to its original state at midnight.
Customers don't really get direct access to deployed code now, it's buried under like 4 layers of abstraction on most CDNs now.
Simply deploying to azure already smears multiple layers of access control and RBAC overtop that it's hard enough for me, the dev, to answer the question if "what is actually deployed atm?", let alone for the customer to get in their and meddle.