Follow-up work for Ci::Workloads abstraction

Extracted from discussions at !176742 (comment 2315155725)

TODO

  1. Prevent the creation of a normal pipeline when creating the new branch for a workload. See also !176742 (comment 2352831812)
  2. Add validations to our Workload class
  3. Refactor other code paths to use Workload:
    1. On-demand DAST scan (triggers a once-off job)
    2. On-demand DAST validation (triggers a once-off job)
    3. Container Scan when new container image is pushed to the repository
    4. Slash commands for chatops
  4. Extract lowest common denominator API for above use cases. Consider a Ci::Workloads::SimplifiedWorkload < Ci::Workloads::Workload that takes a minimal API and constructs the ci_job for you
  5. Implement a POC for how we might run this on top of CI step runner to prove out the flexibility of this approach and set boundaries for the APIs
  6. Implement a POC which decouples the features from the Pipeline object. Try to always use a Workload as an intermediate object (possibly via foreign key) to access whatever we need from the Pipeline.
  7. Make expand: false default for all YAML variables
  8. We have Pipeline.disable_variables_sources which disables variables for specific pipeline sources but we should ideally disable it by default for all workloads to reduce coupling with CI variables.
  9. Simplify the allow/deny code paths for all CI variables . See the conversation started at !176742 (comment 2351213490)
Edited by Dylan Griffith (ex GitLab)