Hey there @tom!
Unfortunately this functionality isn’t something that buildkite does just yet, though this use-case is certainly on our radar and something that we’re planning on accounting for in future!
As a potential work around for now I’d suggest a hard coded (via the buildkite UI) a step that runs in these public pipelines that can sanity check the origin on the code, and can then prepend a block step before any uploaded dynamic pipeline steps are added (potentially also shooting a notification off to your team to let them know that the pipeline needs review). Does this sound like it’d do the job?
We’re keen to remove this extra legwork in the future once we get a better idea of all the potential use-cases and approaches that people need to support for running their public builds/pipelines.
Cheers,
Justin.