How to prevent accidentally deploying to production runner?

We deploy WAR file to on-prem JBoss servers identified by opaque hostnames like:

  • abc001
  • abc002
  • abc003
  • abc004

In my example, abc004 is actually production. We map the hostname to tags to best identify them, since only certain WAR packages are deployed to certain hosts. How do we prevent a situation where there is a change in the gitlab ci like:

   stage: deploy
     - abc004

Whereby accidentally someone has selected the production runner and mistakenly kicked off a job there which disrupted our production services.

Ideally we need an approval workflow for certain runners. How do we accomplish that?

Thanks to

Sidenote: gitlab-runner-linux-amd64 register appears to have a Set access_level of the runner to not_protected or ref_protected; defaults to not_protected [$REGISTER_ACCESS_LEVEL] option which I think allows you automate this when deploying the runner to production.

They still I think the problem remains, since the protected branch is main and we use that though out our environments.