Add self-service migration to block use of pipeline variables for projects not using them

Problem

We've identified an opportunity to enhance the security posture of projects that don't utilize certain CI/CD features. This improvement aims to reduce potential risks associated with unused functionality.

Goal

Improve the security configuration for projects that are not actively using specific CI/CD capabilities.

Proposal (high level goal)

Provide an UI button and API capability for users to self-serve a migration of all projects within a top-level group that don't use pipeline variables.

Migrate projects that have not used pipeline variables to have them disallowed. The project owner can always change the setting back if they need to.

• Check if a project has used pipeline variables (e.g. leverage the Ci::PipelineVariable model)
• if YES, keep the setting as-is.
• if NO, restrict the setting to the max restriction level: pipeline_variables_minimum_override_role: :no_one_allowed

Implementation plan

• Add a worker that applies the migration to a top-level group: A sidekiq worker to run a migration to set pipe... (!188932 - merged)
• Add GraphQL and UI for top-level group admins to trigger the migration.