Ability to protect gitlab-ci.yml from changing by developers

Description

A .gitlab-ci.yml may contain rules to deploy application to production server and (ususally) runs automaticaly after push. It's not always wanted that any developer could change this.

Proposal

What's needed to lock down the .gitlab-ci.yml can already be done with code owners, by using the "Require code owner approval" toggle available in GitLab Premium.

As long as the CODEOWNERS file itself is locked down with a code owner and the Require code owner approval is checked then this is can already be accomplished. Using this feature, different CI templates could even have different owners, allowing for more flexibility.

As such, this issue does not require any code change or new feature. Instead, we should add clear documentation to the CI docs describing how to achieve the purpose here.

Further Details

This could be expanded on in future iterations. Protecting included files is an option for a future improvement (you can work around that for now by including files from a protected repo). Generally protecting arbitrary files is also interesting but brings in other UX considerations. For this iteration we are keeping things simple, but if these use cases are valuable to you please open an issue with your ideas.

Some organizations also may not fully trust code owners, and want an additional level of approval. This could also be expanded upon in a future release.