Fully agreed. We did similar, used the open source technology my company created to make our Jenkins invisible to the internet. Outbound only connectivity. We used webhooks with embedded zero trust SDKs to connect it to any external public resources (e.g., GitHub).