When pipelines are deploying to production or have access to other important resources, customers want to either prevent changes to configuration or restrict the ability to run the pipeline to certain members of their team.
This is related to
#12844, and needs further discussion with customers before we settle on a solution.
Pipelines should only read from bitbucket-pipelines.yml that is in the main branch and run branch-specific tasks from that file as well. That way developers that do not or should not have access to the build file can be blocked from the main branch but still be able to push to other branches (which still runs the branch-specific build code defined in the bitbucket-pipelines.yml file in the main branch). bitbucket-pipelines.yml files in non-main branches should be ignored and, obviously, should not be required to be in the branch that is defining the branch-specific build code.