Production deployment protection

With the implementation of the new yml file for continuous integration and the deployment being in the file there is a danger of the wrong branch being deployed.

Take the case of a deploy job that use only:master. A developer can then branch from master into a new branch. Inside this branch change the only tag and the branch can be pushed to production. A current project I am using is using rsync in the yml file to deploy. There is no way to protect the deployment.