in my understanding of bitbucket pipelines, the bitbuckets-pipelines.yml that is used for a run, is picked from the branch i run the pipeline on.
So lets say i have a "feature1"-branch, if i manually trigger a pipeline, it will be the version of the "feature1" > bitbucket_pipelines.yml.
Isn't this some kind of insecure in terms of people with write access can echo my environment variables just by modifying and manually running a pipeline?
So i can only give write access to the repo to somebody who is allowed to access server environments too?
And how am i supposed to secure my production deployment pipeline against running them manually on lets say "feature1"-branch and deploying feature1?
I mean, i am limiting write access to my master branch via branch permissions, but this seems not to hold anybody from deploying to my production environment.