Drone builds should be need a new signature (drone sign) after the pipeline code has updated.

[kminehart]

In its current form, there is a potential issue where a bad actor can update the code used to generate a pipeline but the drone.yml does not update. That code could do something bad like expose secrets.

Drone gets around this typically by including a cryptographic signature in the bottom that is derived from the contents of the .drone.yml file. If the signature doesn't match the file, then it will not run the build until it is signed by a trusted user or the build is approved.

If we include data in the file that changes depending on the contents of the pipeline (we could possibly use the compiled pipeline?), we can leverage Drone's "protected repositories" features.