Add `admin_cicd_variables` as a custom permission

Release notes

The Owner role is required to manage group CI/CD variables or Maintainer+ for project variables which can lead to an over privileged user. With the release of this permission, you can create a custom role and set the permission in the API so the user can manage CI/CD variables.

Why are we doing this work

Customers would like the capability to give the rights to edit CI/CD variables at the group or project level without being the owner/maintainer of a group or project.

Relevant links

Non-functional requirements

Documentation: https://docs.gitlab.com/ee/user/custom_roles/abilities.html
Feature flag: TBD
Performance:
Testing:

Implementation plan

Run ./ee/bin/custom-ability admin_cicd_variables to generate configuration for the new permission.
- name: admin_cicd_variables
- description: Manage CI/CD Variables
- introduced_by_issue: #437947 (closed)
- feature_category: continuous_integration
- group_ability: true
- project_ability: true
Run bundle exec rails generate gitlab:custom_roles:code --ability admin_cicd_variables
Add tests to ee/spec/requests/custom_roles/admin_cicd_variables/request_spec.rb for:
- Groups::VariablesController
- Projects::VariablesController
- REST API (Project Level Variables, Group Level Variables)
- GraphQL API
Add rule(s) to ProjectPolicy to enable ability to allow access to create/update variables
Add rule(s) to GroupPolicy to enable ability to allow access to create/update variables

Verification steps

TBD

Edited Feb 09, 2024 by Joe Randazzo