I’m explicitly looking for people to tear this apart: if you assume a hostile developer who controls .gitlab-ci.yml but not the platform, can you design a CI/CD compliance model on GitLab that actually can’t be bypassed. And if you think you can, please explain how, and if you think it’s impossible, I want to hear that too.