diff --git a/templates/full-pipeline.yml b/templates/full-pipeline.yml
index b38afa2611638c99eb260917be7bee323749d70d..686dac1bfd1dab7ee59f52dc57aa282642bf233b 100644
--- a/templates/full-pipeline.yml
+++ b/templates/full-pipeline.yml
@@ -108,6 +108,9 @@ spec:
     fmt_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -116,6 +119,9 @@ spec:
     validate_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -124,6 +130,9 @@ spec:
     test_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -132,6 +141,9 @@ spec:
     plan_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -171,6 +183,10 @@ spec:
       default: opentofu
       type: string
       description: 'If `trigger_in_child_pipeline` is `true` then this defines the stage of the child pipeline bridge job.'
+    child_pipeline_rules:
+      default: [{when: on_success}]
+      type: array
+      description: 'Defines the `rules` of the child pipeline bridge job.'
 
 ---
 
@@ -326,11 +342,18 @@ stages:
 
 '$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]':
   rules:
-    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "true"'
+    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
+      when: never
+    - $[[ inputs.child_pipeline_rules ]]
   extends: '.$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]:bridge_job_stage:$[[ inputs.trigger_in_child_pipeline ]]'
   trigger:
     include:
-      - local: /templates/full-pipeline.yml
+      # FIXME: this project path may not be correct for forks and mirrors (on self-managed),
+      # so we need to introduce another input for it.
+      # We probably need to split up `image_registry_base` and use parts of it here, too.
+      - project: 'components/opentofu'
+        file: '/templates/full-pipeline.yml'
+        ref: '$[[ inputs.version ]]'
         inputs:
           stage_validate: $[[ inputs.stage_validate ]]
           stage_test: $[[ inputs.stage_test ]]
diff --git a/templates/validate-plan-apply.yml b/templates/validate-plan-apply.yml
index 05dfc7a60b7a4b9e2cd438bc60992dc0767c8ede..45f31ef70cb476fbcb5e51745e3db8a262089c84 100644
--- a/templates/validate-plan-apply.yml
+++ b/templates/validate-plan-apply.yml
@@ -95,6 +95,9 @@ spec:
     fmt_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -103,6 +106,9 @@ spec:
     validate_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -111,6 +117,9 @@ spec:
     plan_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -138,6 +147,10 @@ spec:
       default: opentofu
       type: string
       description: 'If `trigger_in_child_pipeline` is `true` then this defines the stage of the child pipeline bridge job.'
+    child_pipeline_rules:
+      default: [{when: on_success}]
+      type: array
+      description: 'Defines the `rules` of the child pipeline bridge job.'
 
 ---
 
@@ -232,11 +245,18 @@ stages:
 
 '$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]':
   rules:
-    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "true"'
+    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
+      when: never
+    - $[[ inputs.child_pipeline_rules ]]
   extends: '.$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]:bridge_job_stage:$[[ inputs.trigger_in_child_pipeline ]]'
   trigger:
     include:
-      - local: /templates/validate-plan-apply.yml
+      # FIXME: this project path may not be correct for forks and mirrors (on self-managed),
+      # so we need to introduce another input for it.
+      # We probably need to split up `image_registry_base` and use parts of it here, too.
+      - project: 'components/opentofu'
+        file: '/templates/validate-plan-apply.yml'
+        ref: '$[[ inputs.version ]]'
         inputs:
           stage_validate: $[[ inputs.stage_validate ]]
           stage_build: $[[ inputs.stage_build ]]
diff --git a/templates/validate-plan-destroy.yml b/templates/validate-plan-destroy.yml
index 229666d16f350ae1c4d086d6237799d928de5508..c22650f760b2c467d60f6ca30093803b1341b196 100644
--- a/templates/validate-plan-destroy.yml
+++ b/templates/validate-plan-destroy.yml
@@ -95,6 +95,9 @@ spec:
     fmt_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -103,6 +106,9 @@ spec:
     validate_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -111,6 +117,9 @@ spec:
     plan_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -144,6 +153,10 @@ spec:
       default: opentofu
       type: string
       description: 'If `trigger_in_child_pipeline` is `true` then this defines the stage of the child pipeline bridge job.'
+    child_pipeline_rules:
+      default: [{when: on_success}]
+      type: array
+      description: 'Defines the `rules` of the child pipeline bridge job.'
 
 ---
 
@@ -266,11 +279,18 @@ stages:
 
 '$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]':
   rules:
-    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "true"'
+    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
+      when: never
+    - $[[ inputs.child_pipeline_rules ]]
   extends: '.$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]:bridge_job_stage:$[[ inputs.trigger_in_child_pipeline ]]'
   trigger:
     include:
-      - local: /templates/validate-plan-destroy.yml
+      # FIXME: this project path may not be correct for forks and mirrors (on self-managed),
+      # so we need to introduce another input for it.
+      # We probably need to split up `image_registry_base` and use parts of it here, too.
+      - project: 'components/opentofu'
+        file: '/templates/validate-plan-destroy.yml'
+        ref: '$[[ inputs.version ]]'
         inputs:
           stage_validate: $[[ inputs.stage_validate ]]
           stage_build: $[[ inputs.stage_build ]]
diff --git a/templates/validate-plan.yml b/templates/validate-plan.yml
index 238fa182e28570c385e2a1c04c3a648d7cea72f3..acd3d4dbf3cf0eff823e4b6153256d88ace6ac68 100644
--- a/templates/validate-plan.yml
+++ b/templates/validate-plan.yml
@@ -85,6 +85,9 @@ spec:
     fmt_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -93,6 +96,9 @@ spec:
     validate_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -101,6 +107,9 @@ spec:
     plan_rules:
       default:
         - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+        # FIXME: once https://gitlab.com/gitlab-org/gitlab/-/issues/438722 is fixed we should only
+        # match "parent_pipeline" source if $[[ inputs.trigger_in_child_pipeline ]] is `true`.
+        - if: $CI_PIPELINE_SOURCE == "parent_pipeline"
         - if: $CI_OPEN_MERGE_REQUESTS  # Don't add it to a *branch* pipeline if it's already in a merge request pipeline.
           when: never
         - if: $CI_COMMIT_BRANCH        # If there's no open merge request, add it to a *branch* pipeline instead.
@@ -122,6 +131,10 @@ spec:
       default: opentofu
       type: string
       description: 'If `trigger_in_child_pipeline` is `true` then this defines the stage of the child pipeline bridge job.'
+    child_pipeline_rules:
+      default: [{when: on_success}]
+      type: array
+      description: 'Defines the `rules` of the child pipeline bridge job.'
 
 ---
 
@@ -197,11 +210,18 @@ stages:
 
 '$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]':
   rules:
-    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "true"'
+    - if: '"$[[ inputs.trigger_in_child_pipeline ]]" == "false"'
+      when: never
+    - $[[ inputs.child_pipeline_rules ]]
   extends: '.$[[ inputs.job_name_prefix ]]$[[ inputs.child_pipeline_name ]]:bridge_job_stage:$[[ inputs.trigger_in_child_pipeline ]]'
   trigger:
     include:
-      - local: /templates/validate-plan.yml
+      # FIXME: this project path may not be correct for forks and mirrors (on self-managed),
+      # so we need to introduce another input for it.
+      # We probably need to split up `image_registry_base` and use parts of it here, too.
+      - project: 'components/opentofu'
+        file: '/templates/validate-plan.yml'
+        ref: '$[[ inputs.version ]]'
         inputs:
           stage_validate: $[[ inputs.stage_validate ]]
           stage_build: $[[ inputs.stage_build ]]