I think the question is answered for you if you can figure out the answer to, “is my source code significantly less likely to be read by an attacker, than is a database?”.

I would suggest that it is not — perhaps your source is somewhat less likely to leak, depending how things are backed up etc. Even so I doubt that it’s so much less likely to leak that you can neglect the risk, given that you do not neglect the same risk for databases. The reason that passwords in database should be salted/hashed isn’t that there’s some special property of databases that means attackers can view their contents[*], it’s that attackers can get a look at all kinds of things, one way or another.

In fact source code might even be more likely to leak than a database, given that anyone working on the system might need access to the source, whereas not everyone working on a system necessarily needs access to the contents of the live DB. Not that I think your developers are dishonest (if they are, you have worse problems than the password leaking), just that the logistics around sharing source might introduce more (or just different) ways it can accidentally leak, than the logistics around backing up a DB.

Personally, in your situation I would create a small file on the server containing the hashed/salted password and approximately nothing else. Users installing different instances of the app can generate their own versions of this file, containing their own password, separate from the actual application code. They should lock it down with the same write-access restrictions as they do the source code.

Whether you call this file “a read-only database” or “part of the server code” doesn’t affect how easy it is for an attacker to view it, although it might affect whether you refer to the password as “hard-coded”.

[*] of course there are potential flaws that are special to particular databases, SQL injection attacks or whatever. Those are not the decisive reason why passwords in databases should be salted and hashed.