Guidance for PCI Compliance

Looking for Guidance for PCI Compliance.
We are currently moving to getting a ci\cd pipeline running on Gitlab.
Our current set up is we have a non production and a production environment on separate networks.
This reduces the area that is under PCI to just the Production network as this is the only place card holder data is present.
We get a deployment to production by the following:

  • Commit code to git

  • This kicks off current build of artifacts via cruise control

  • In non production we deploy this via scripts, which have access to artifacts

  • For production we make the artifacts available to production by pushing to SFTP server and run script on production jump server to deploy

We are now working to moving to use Gitlab where:

  • Gitlab running in non prod environment

  • Gitlab registry running in non prod environment with docker images stored in file system for now, eventlually to something like s3

GitLab runner running in non prod environment

Our issue is for the cd part we need to push images to production boxes and run docker commands(docker run). This results in our non production environment (via runner running pipeline) to have access to production which we never required.

Any guidance on how to avoid this and keep our production environment as restricted as possible. I presume lots of companies want to keep production restricted and how do they achieve this?