Unprotected runner on protected branch

We are using GitLab.com. We have an unprotected runner and a protected runner for the CICD pipeline and “master” branch is set to be protected by default. We have a CICD pipeline with two stages, each of which has a job. When a CICD pipeline job is triggered, we found that the protected runner executed the job in the first stage correctly. However, the unprotected runner executes the job in the second stage unexpectedly.

The .gitlab-ci.yml looks like this:

# snippet of the file
# ...

services:
#- docker:dind
  - docker:18.09-dind

stages:
  - init
  - preDeploy

###-------------------------------------------------------------###
cfnValidation:
  stage: init
  script:
    - make aws_cfn_validation #...


###-------------------------------------------------------------###
### It's going to be used for production only. ###
createChangeSetOnly:
  stage: preDeploy
  rules:
    - if: '$CI_COMMIT_BRANCH == "master"'
      when: on_success
    - when: never
  script:
    - make create_changeset #....

We expect that as long as the change occurs in the master branch, only the protected runner will execute all the jobs. What could be the cause that the unprotected runner executes the job?

Thanks.

Best Regards,

James