Running Protected Pipelines on Merge Requests from the community

I’m hosting an open source project using a GitLab on-prem installation. I’d like to have a mechanism to have community contributions / bugfixes / new features; and I want to verify that the incoming code works in a deployed setting.

I don’t want to expose the credentials to my testing environment (a cloud computing environment), nor do I want to blindly run code from unknown sources. However, once a maintainer has reviewed the code and feels comfortable with it, I’d like some way for them to mark the Merge Request as “Trusted”, enabling the execution of a protected pipeline against that code. Ideally, I’d like to see this protected pipeline pass before approving the merge request and merging into master.

I can think of a few ways to make it happen technically, but they all feel very awkward and manual. I’m curious if anybody else has run into something similar, and established a good pattern for it?