Migrate existing public projects to enable SPP

Problem to Solve

Public projects created before #551949 do not have Secret Push Protection (SPP) enabled.

We need to migrate all existing public projects to have SPP enabled to ensure consistent security coverage across all public repositories.

Implementation Plan

The following is tasks we need to do to implement this migration, grouped by milestone.

Milestone %18.5 (required stop):

• Create a batched background migration:
  • All projects to be migrated should match:
    • Not be a GitLab project:
      • SPP had been enabled for all GitLab-groups.
      • We don't want to replicate the work, and we need to respect existing projects' choices:
        • If a GitLab project had disabled the feature, it should remain disabled.
    • Be public projects: project.public?.
    • Have a public repository: see this comment for details.
    • Have a project_security_settings record: project.security_setting:
      • If the project has no security setting record, we create one for it.
    • Have secret push protection disabled: !project.security_setting.secret_push_protection_enabled?.
  • Use scope_to or each_sub_batch to limit the batched background migration to a limited subset of records.
  • The migration should enable security_setting.secret_push_protection_enabled? for those projects in batches.
• Enqueue the batched background migration:
  • Generate a post deployment migration to enqueue the batched background migration.

Milestone %18.6 (after the required stop)

• Finalize the batched background migration.

Milestone %18.9 (after the next required stop in %18.8)

• Delete the batched background migration.

Resources

• Batched Background Migrations Guide (see example code)
• Post Deployment Migrations Guide