Add `admin_runners` custom role permission

What does this MR do and why?

This change introduces a new custom permission to allow users the ability to manage runners for a group or project.

#442851 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before	After
	After: Enable/Disable instance runners for Group

How to set up and validate locally

1. In rails console enable the experiment fully

   Feature.enable(:custom_ability_admin_runners)

2. Create a role with the Admin Runners permission enabled.
3. Assign the new role to a new user
4. Login with the new user
5. Visit any project page and ensure that the Settings menu item appears in the navigation.
6. Click on the Settings menu and ensure that the CI/CD menu item appears.
7. Click on the CI/CD menu.
8. Ensure that the Runners section appears.
9. Click on Expand
10. Ensure that the list of runners are displayed.

app/services/groups/update_shared_runners_service.rb

@@ -3,7 +3,7 @@
 module Groups
   class UpdateSharedRunnersService < Groups::BaseService
     def execute
-      return error('Operation not allowed', 403) unless can?(current_user, :admin_group, group)
+      return error('Operation not allowed', 403) unless allowed_any?(:admin_group, :admin_runner)
 
       validate_params
 
@@ -18,6 +18,10 @@ def execute
 
     private
 
+    def allowed_any?(*permissions)
+      can_any?(current_user, Array(permissions), group)
+    end
+
     def validate_params
       unless Namespace::SHARED_RUNNERS_SETTINGS.include?(params[:shared_runners_setting])
         raise ArgumentError, "state must be one of: #{Namespace::SHARED_RUNNERS_SETTINGS.join(', ')}"