Protext production environment in Gitlab CI

We are trying to setup CI-CD using Gitlab. The documentation seems straightforward. But I am struggling with setting up proper access. We want to only give Gitlab admins to be able to deploy to production account. We also want senior members of each team to be able to create new projects as needed, provide access to others in turn and be a Maintainer of these projects, etc. But we don’t want anyone outside the Gitlab Admin team to be able to trigger/approve jobs that deploy to productioin environment. I have been searching a while and still not able to a solid solution. Some of the solutions that did not work for us is configuring ci-cd jobs to be triggered by selected users. The reason is the project maintainers can updated the gitlab-ci.yaml file and change it if they wish to do so. Ideally something like protecting runners so that the jobs will fail if the person who triggered the job does not have access to the runners. This way, we can protect the production deployment securely.

Also, I have searched the concept of “environment”. It only seems to be for labelling, and is not equivalent to physical environment that you can assign permission to.

So, what is the standard way differnet companies do this? i.e protect their production

can anyone help please :pray: ?