Allow instance's admin to delete builds on protected branch

Problem to solve

Currently ci_builds table does not have a good way to clean up. A good approach is to rely on https://docs.gitlab.com/ee/api/jobs.html#erase-a-job by querying for project pipeline list -> query for job list from that pipeline -> erase jobs.

However the current permission system in erase job api does not let you erase jobs on protected branches (nor tag) thus making cleaning up out-dated jobs very difficult.

Intended users

• Sidney (Systems Administrator)

Further details

Currently there is not an intuitive way to clean up ci_builds table, which is HUGE and make a lot of related API slow.

Proposal

With context of https://gitlab.com/gitlab-org/gitlab/-/blob/master/spec/policies/ci/build_policy_spec.rb#L169. Lets add a rule set that allow instance admins (or group owners) to delete builds + pipeline of instance/group.

And let instance admin delete builds / pipelines that target protected branches / tags.

Permissions and Security

Not sure

Documentation

• We might want to add a new section here about permission to delete jobs https://docs.gitlab.com/ee/user/permissions.html#job-permissions

Availability & Testing

N/A

What does success look like, and how can we measure that?

Instance admin can have a safe

What is the type of buyer?

Self-hosted customer

Is this a cross-stage feature?

N/A

Links / references