Hide it behind VPN, so it's not accessible from outside.

When you own it you can just limit it into vpn-ed company users, that significantly cuts down on the area that can be hit

I mean, the GitHub Actions supply chain risks and attacks definitely compensate for any GitLab security vulnerabilities you can think of.