Access control in CI/CD

I am not a Liquibase user in our team but am a data engineer and have been tasked with helping transition to a true CI/CD pipeline. Our devs have been used to making changes in Liquibase and/or the dev/staging/prod environments directly. This is a problem. We all agree we need to move to CI/CD and entertained the idea of doing read-only access for developers to cut the problem off at the head and force changes through Liquibase. However, this poses a problem for actual dev work in Liquibase, at least according to our dev team lead.

What are some recommended practices for ensuring devs have the ability to work in Liquibase and have the app function properly if we have to lock down individual dev accounts in SSMS? I understand a lot of these issues rest on people behavior but I have to cover all bases here. Thoughts?