Protect YAML pipelines

Hello everyone,

I am trying to find ways to protect YAML pipelines which have access to secrets from being abused.

The YAML pipeline has access to a variable group which (via a key vault) contains a secret. The secret is required for the pipeline to operate. We want the pipeline to run without manual approval because it is used in a pull request policy and runs rather frequently.

The problem is that any contributor to the repository can edit the YAML on their own branch and create a pull request. This will execute the pipeline. Since the pipeline will run no matter what, the changed pipeline might expose a secret or abuse it in some way.

Is there any way to make sure that only a select group has the ability to alter a YAML pipeline definition? Or to block any runs in which the pipeline YAML was altered? Maybe disallow pushes to the YAML path?