Allow instance's admin to delete builds on protected branch
Problem to solve
Currently ci_builds table does not have a good way to clean up. A good approach is to rely on https://docs.gitlab.com/ee/api/jobs.html#erase-a-job by querying for project pipeline list -> query for job list from that pipeline -> erase jobs.
However the current permission system in erase job api does not let you erase jobs on protected branches (nor tag) thus making cleaning up out-dated jobs very difficult.
Intended users
Further details
Currently there is not an intuitive way to clean up ci_builds table, which is HUGE and make a lot of related API slow.
Proposal
With context of https://gitlab.com/gitlab-org/gitlab/-/blob/master/spec/policies/ci/build_policy_spec.rb#L169. Lets add a rule set that allow instance admins (or group owners) to delete builds + pipeline of instance/group.
And let instance admin delete builds / pipelines that target protected branches / tags.
Permissions and Security
Not sure
Documentation
- We might want to add a new section here about permission to delete jobs https://docs.gitlab.com/ee/user/permissions.html#job-permissions
Availability & Testing
N/A
What does success look like, and how can we measure that?
Instance admin can have a safe
What is the type of buyer?
Self-hosted customer
Is this a cross-stage feature?
N/A