No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

The role-based access control features in the Pulumi Console were designed for this.

<https://www.pulumi.com/docs/intro/console/collaboration/stack-permissions/>

Your dev would have `WRITE` to 1 and `NONE` to 2, 3, and 4.

Your CICD pipeline would have `WRITE to 2, 3, and 4.

Your dev could have `READ` to 2, 3, and 4 if you wanted to allow it. That way they can see the changes that occur and even run previews against those stacks, but would not be allowed to make changes to them.

Sick, that's exactly what I was after.  Cheers.