It seems like outside users cannot access our API token (which makes sense, obviously) and will have their pipelines fail in merge requests.
While it would be nice for people to magically know about that token and set it up in their pipelines, that's kind of a tough sell so instead just allow those pipelines to fail so we can at least merge their stuff.
See for example:
https://gitlab.torproject.org/emmapeel/ci-templates/-/pipelines/17200
and: