Gitlab runner trust build

I’m building a docker stack with a self-hosted gitlab and gitlab-runner service. My aim is to also integrate a website in the stack that uses builds from the gitlab repos. To do this, I’m using a processor, like markdown, to convert source files in the repos to their targets.

My question is: is there a way to do this with gitlab runner in order to trust the output, if I trust the processor–like markdown? From what I can tell, runners can spawn isolated containers, but then the user can specify arbitrary commands on the runner with a .gitlab-ci.yml file. In this circumstance, they could run commands to create an untrusted build. Ideally, I’d like to have users have access to a pre-configured runner that runs a trusted command for them–and nothing else.

Any suggestions or help is greatly appreciated,