Docs add: What permissions/role does a deploy key have?

Problem to solve

Clarify what rights the deploy key has by default. Read should be clear, but read/write is unclear.

According to the issue (linked below) the deploy key does not have rights to push to a protected branch, but since only maintainers can create deploy keys, does that make the most sense? If someone changes the protected branch allowed to push roles to any, would the deploy key then be allowed?

Customer in a ticket (internal) in their testing found that the deploy key could push to protected branches if the roles allowed was changed to Maintainers + Developers, but then this would allow all Developers to push to protected branches which is not ideal.

Further details

This came up during discussions about the following issue and the related customer tickets:

• https://gitlab.com/gitlab-org/gitlab-ce/issues/63862

Proposal

List what default permissions a deploy key has, or if it has the same permissions as a specific role, mention that.

Other links/references

• Docs for deploy keys: https://docs.gitlab.com/ee/ssh/#deploy-keys