Enhance `restrict_user_defined_variables` to restrict to owners only

Problem to solve

Users want to be able to restrict user defined variables from being overridden by Developers and above. Currently the restrict_user_defined_variables project option restricts update access to maintainers and above.

Proposal

Keep the restrict_user_defined_variables attribute to boolean on the API, but mark it as deprecated. However, internally we need a new setting by a new name, for a lack of a better name, let's call it ci_variable_override_restriction for now. The API then needs a new string parameter ci_variable_override_restriction for this purpose, that can be developer, maintainer, owner, etc.

When a user calls the API with restrict_user_defined_variables: true (the existing API), we update both the old setting restrict_user_defined_variables: true and the new setting ci_variable_override_restriction: maintainer.

When we evaluate the permission to override a variable, we use the new setting ci_variable_override_restriction. The old setting is just kept for consistency and can be removed later on.

Then, we need to migrate the existing projects with restrict_user_defined_variables: true to have ci_variable_override_restriction: maintainer.

Intended users

• Dakota (Application Development Director)
• Cameron (Compliance Manager)

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.

Updated Problem to solve:

Users want to be able to restrict user-defined variables from being overridden by Developers and Maintainers. Currently the restrict_user_defined_variables project option only restricts it so that Maintainers and Owners can still override them.

1. Introduce new options settings on ProjectCiCdSettings table in a new columnci_pipeline_variables_minimum_override_role enum no_one_allowed|developer|maintainer|owner with default value maintainer
2. Handle on the projects API (https://docs.gitlab.com/ee/api/projects.html#edit-project) a new attribute - ci_pipeline_variables_minimum_override_role
3. Consider restrict_user_defined_variables as a determinant for pipeline_variables_minimum_override_role. If restrict_user_defined_variables is false, we disregard the value of pipeline_variables_minimum_override_role and permit variable overrides for any role. Conversely, if it is ON, we adhere to pipeline_variables_minimum_override_role and establish overwrite permissions based on the role.

As a result, we've introduced a more gradual way to limit the overriding of user-defined variables based on the user's role: developer, maintainer, or owner. This change supports the old restrict_user_defined_variables settings for a while, ensuring a smooth transition without breaking anything.