Control default group level pipeline_variables_default_role: :no_one_allowed via instance setting

Background

With Change default of `restrict_user_defined_variab... (#502382 - closed) we are changing the default project level setting pipeline_variables_minimum_override_role to no_one_allowed for new projects in new namespaces on Gitlab.com.

We do this by introducing pipeline_variables_default_role group-level setting that controls the default project setting when new projects in the group are created.

• On Gitlab.com, new projects in new namespaces will get pipeline_variables_minimum_override_role: :no_one_allowed which can be changed afterwards.
• On self-managed/Dedicated, new projects will continue getting the backwards compatible pipeline_variables_minimum_override_role: :developer.

New proposal

• Turn the feature flag into an instance setting. Keep the instance setting enabled on Gitlab.com.
• Ensure the instance setting is introduced disabled by default.
• Document the instance setting.

Old Proposal - breaking change

All new projects (in any GitLab installation) will get pipeline_variables_minimum_override_role: :no_one_allowed by default.

In %18.0 we need to:

• Remove the feature flag https://gitlab.com/gitlab-org/gitlab/-/issues/502238+ which controls the new default no_one_allowed on Gitlab.com and make it the standard behavior.
• Change database default on namespace settings to no_one_allowed
• Keep ability to configure setting for new projects at group and project level.