CI/CD pipelines: workflows and roles

Hello, I am considering to use GitLab (enterpise) to set up a continuous integration and delivery pipeline based on containers and kubernetes as a running environment.
Deploy to the cluster are executed via helm/tiller tool.

I would like to know how to set up a CI/CD pipeline with the following steps:

  • code quality (lint, static code analisys)
  • build (to docker container)
  • deploy to dev (kubernetes cluster, dev namespace)
  • automated testing
  • deploy to staging (kubernetes cluster, staging namespace)
  • more automated testing
  • deploy to production (kubernetes cluster, production namespace)

Deploy steps to staging and prod must be subjected to explicit approval from specific users (deploy to prod could require auth of two separate users/roles, like business user, IT manager).
Users, except “admins” should not be able to alter the pipeline steps and environment variables.

I understand that it is not possible to protect the .gitlab-ci.yml file, as developers can always change it and protected branches/tags are not effective, so I am considering to segregate roles using separate projects: several “code” projects, accessible by the dev team, with CI steps limited to the code quality and build phases, and one single “deploy” project dedicated to the deploy steps, with separate users and permissions.
Does it make sense? Any best practices/examples available?

Best regards,