Use Buildkite permissions to split CI into multiple tiers (tier-1, tier-2, etc.) for which only select individuals have access to tiers 2 and above.
Only tier-1 is required to successfully merge a PR.
In tier-1 CI machines, there are no credentials required to deploy, etc. So, in case a tier-1 CI machine is abused, only compute resources are lost. (Same as with GitHub Actions, for example.)
Production deployments do not come same machine(s) as tier-1 CI.
Cross-linking to some helpful info from the
mina-block-explorer
repo.