Prevent unprotected runners from executing protected branch jobs

Proposal

Would like a way to limit/prevent runner job execution for a protected branch (e.g., main) on unprotected runners.

Example: I have a project with a protected main branch and two runners available to it. These runners have the same set of runner tags. However, one of the runners is “protected” (has this checkbox ticket “This runner will only run on pipelines triggered on protected branches”) and another one is not (unprotected). I need to make sure that only the protected runner picks the jobs for the protected branch despite there is another runner (unprotected) with the same tags.

My tests show that simply enabling the runner protection is not enough: jobs from main branch are taken by another, non-protected runner with the same tags randomly.

Based off the above testing it appears that:

1. Protected runners would only be allowed to run on pipelines triggered on protected branches/tags (git tags).
2. Unprotected runners can run any job (also on protected branches)

cc: @jreporter