This is why I don't allow anyone to get an account on our GitLab server unless they're highly trusted.

In my case, I also don't give the CI runner access to any secrets or access to deploy anything, so I'm nit too worried, personally.

But I will still push for better transparency.

I fight for the user!