Reading CI job token authorization log and allowlist should not require each project authorization

Problem

When a project maintainer tries to inspect the job token authorization log in CI/CD settings and the authorization log contains projects that the maintainer has no Guest+ permissions, the authorization log is not displayed and a generic error appears in the UI.

GraphQL returns the following errors:

[{"message"=>"Cannot return null for non-nullable field CiJobTokenAuthLog.originProject"}, {"message"=>"Cannot return null for non-nullable field CiJobTokenAuthLog.originProject"}]

This is caused by the fact that we are using Types::ProjectType to display origin_project in Types::Ci::JobTokenAuthLogType. Similarly, we use Types::ProjectType in Types::Ci::JobTokenScope::AllowlistEntryType.

Proposal

Authorization log should be visible to the maintainer of the project, regardless whether the user has permissions to read each project. It's ok to leak the project path because that is important to the maintainer of the accessed project to know where connections are coming from.

Similar should be applied to the job token allowlist:

• To view the allowlist we should only check that the user is maintainer+ of the current project. No permissions checks on the allowlisted projects.
• To modify the allowlist we should require the maintainer to be at least Guest of the project to allowlist. This behavior is unchanged.

Implementation

We should not use Types::ProjectType at all here, to avoid accidentally leaking project data by relaxing the permission checks. Instead we should use a specific/safer Type that has only id and full_path.

The new type should be specifically used by Types::Ci::JobTokenAuthLogType and be called something like Types::Ci::JobTokenAuthLogProjectType. This new type will only have the project id and full_path and not requiring the read_project permission to get the information.