Block merge into protected branch when pipeline does not exist


I would like to know what strategy you use when you want to block any push/merge to master when pipeline fails.
I mean, I have a project with everything configured and correct, but if someone with DEVELOPER access level does the steps below, he/she will be able to merge into master without pipeline had been ran.

  1. creates a branch
  2. adds a line like this only: master in .gitlab-ci.yml
  3. commits this change
  4. push the local branch to the remote
  5. creates a merge request with that last commit

In this scenario, MERGE button will be available because in .gitlab-ci.yml, he/she said that pipeline only will be run in master branch, right?
So, in this scenario, someone got the rights fooling admin rules that says “Only allow merge requests to be merged if the pipeline succeeds”, but pipeline did not succeed!!! It didn’t even ran.

What am I missing in strategy flow?