(background below): 

I have a host that I want my Bitbucket repo to deploy to (using ssh) that I want to only be available when an authenticated background service is running on the agent.

Is there a way to specify the fingerprint (without fetching), or to allow the pipeline to proceed on that check? (an automated step to add the fingerprint to the repo I could run once could work...)

Background:

I've used a non-default port for my ssh, but on checking logs, I have learned this port has been found and probed (a lot). While no rando has gained access (thanks to ssh keys and disallowing passwords), I want to take this up a notch.

I tried using a firewall rule to only allow known public IPs; however, since I don't know the public IP's that Bitbucket jobs run from, I had to temporarily open up the firewall whenever doing a deployment (annoying).

Recently I learned about Twingate, and I want to setup my bitbucket pipeline to load a twingate headless service to create an authenticated tunnel that is then able to ssh without me opening my firewall; however, that means that the hostname the pipeline needs to use (foo.local) is only available once the pipeline has started the service and not on the repo settings to fetch the fingerprint.