Migrate projects using pipeline variables to follow the minimum override role

Problem

As we plan to deprecate restrict_user_defined_variables setting in favor of pipeline_variables_minimum_override_role and given that the latter setting only works if restrict_user_defined_variables:true, we need to migrate first all the projects having restrict_user_defined_variables: false to true so we can then deprecate the old setting.

Goal

We want to be in a position to deprecate restrict_user_defined_variables as it will be set to true always.

This must be backwards compatible and should not have any changes in behavior.

Proposal

Migrate all projects with restrict_user_defined_variables: false to having restrict_user_defined_variables: true, pipeline_variables_minimum_override_role: :developer .

This is because when restrict_user_defined_variables: false it allows all developer+ users to use pipeline variables.

Rollout

Run this migration for projects owned by GitLab (gitlab-org, gitlab-com, etc.) groups first.
Then run the migration for all other projects.

Edited Jan 28, 2025 by Fabio Pitino - PTO until Jan 1