With source code and IaaC within the same project and residing in pulumi, if security is concerned just have IaaC inside pulumi and source code in Gitlab? But then separately into different repos defects the purpose of having source and IaaC nicely together as one...?