I’m explicitly looking for people to tear this apart: if you assume a hostile developer who controls .gitlab-ci.yml but not the platform, can you design a CI/CD compliance model on GitLab that actually can’t be bypassed. And if you think you can, please explain how, and if you think it’s impossible, I want to hear that too.

If it meets the guidelines, this might make a good 'Show HN'. Show HN guidelines: https://news.ycombinator.com/showhn.html