How can you design a container build pipeline for a GKE-hosted application with these requirements:

• Only images generated by your build pipeline should be deployable to your GKE cluster.

• All source code and build artifacts must stay within your environment and be secured against data exfiltration?