Great question! So depending on where you want that manual approval to occur, there are a few different ways you could go about it. My first thought here is that you can create a block step, and then wire up a bot, script, or some other external action that could unblock the job from the Jobs API:
A common pattern that we use in our open source projects is that builds on forks are blocked by default in our pipelines, and so a maintainer (generally Buildkite staff) is able to go in and unblock the build so that it can run.
We do this manually, but I think it would be simple enough to hook up a webhook event that fires when a build is blocked, and then allow someone to unblock it via an API call
Hopefully that gives you a starting point and some ideas, but feel free to ask any questions and we’ll be happy to help out!