In GitLab CI, we have a pages job to publish a GitLab Pages site. But it can run from any branch even non-protected, meaning any developer within the project can publish and override page contents. (Notice that they can modify the .gitlab-ci.yml file in a non-protected branch).
We have branch rules in place to safeguard branches. We employ a protected runner for runner protection. However, I think we lack a mechanism to safeguard pages from unauthorized alterations.
Can we constrain GitLab Pages can only be published from the default branch or any protected branch?