Prevent build spec override

[jaidisido]

We are interested in leveraging this Github action to trigger CB projects when a PR is created in our repo, however we are not comfortable with the idea that the buildspec can be overridden. A malicious user could modify the spec to perform actions beyond those allowed. Is there a way to prevent this behaviour via an IAM condition or any other way?

[jcw-]

The apparent inability to securely trigger a build through StartBuild is a blocker for adoption for us as well. Combined with the lack of flexibility of the AWS Connecter (GitHub App) to support multiple AWS accounts and this makes for a pretty poor look for CodeBuild's support for GitHub.