Draft: Add "manage runner" scope

What does this MR do and why?

This MR adds a manage_runner token scope, to enable the following runner management endpoints to be accessed with a single token:

endpoint	manage_runner Owner token result	manage_runner Maintainer token result	manage_runner Developer token result	create_runner Owner token result
GET /runners/:id	✅ 200 OK (using admin user token) ✅ 200 OK (using group token)	✅ 200 OK (using owner project token)	✅ 200 OK (using group token)	✅ "insufficient_scope"
PUT /runners/:id	✅ 200 OK (using owner project token)	✅ 200 OK (using owner project token)	✅ "403 Forbidden - No access granted"	✅ "insufficient_scope"
DELETE /runners/:id	✅ 204 No Content (using owner group token)	✅ 204 No Content (using owner group token)	✅ "403 Forbidden - No access granted"	✅ "insufficient_scope"
GET /projects/:id/runners	✅ 200 OK (using owner project token)	✅ 200 OK (using owner project token)	✅ 403 Forbidden	✅ "insufficient_scope"
GET /groups/:id/runners	✅ 200 OK (using owner group token)	✅ 200 OK (using owner group token)	✅ 403 Forbidden	✅ "insufficient_scope"
POST /runners/:id/reset_authentication_token	✅ 201 Created (using admin user token)	✅ 201 Created (using owner project token)	✅ "403 Forbidden - No access granted"	✅ "insufficient_scope"
GET /runners	✅ "insufficient_scope" (using group token) ✅ "insufficient_scope" (using admin user token)	✅ "insufficient_scope" (using group token)	✅ "insufficient_scope" (using group token)	✅ "insufficient_scope" (using admin user token)
GET /runners/all	✅ "insufficient_scope" (using group token) ✅ "insufficient_scope" (using admin user token)	✅ "insufficient_scope" (using group token)	✅ "insufficient_scope" (using group token)	✅ "insufficient_scope" (using admin user token)
GET /runners/:id/jobs	✅ 200 OK (using group token) ✅ 200 OK (using admin user token)	✅ "403 Forbidden - No access granted" (using group token)	✅ "403 Forbidden - No access granted" (using group token)	✅ "insufficient_scope" (using admin user token)
POST /projects/:id/runners	✅ 403 Forbidden (using project token) ✅ 201 Created (using admin user token)	✅ "403 Forbidden - No access granted" (using project token) ✅ 201 Created (using group token) ✅ 201 Created (using admin user token)	✅ 403 Forbidden (using project token) - would need access to source and target projects	✅ "insufficient_scope" (using admin user token)
DELETE /projects/:id/runners/:runner_id	✅ 204 No Content (using project token) ✅ 204 No Content (using admin user token)	✅ 204 No Content (using project token) ✅ 204 No Content (using group token) ✅ 204 No Content (using admin user token)	✅ "403 Forbidden - No access granted" (using project token)	✅ "insufficient_scope" (using project token)
POST /projects/:id/runners/reset_registration_token	✅ "insufficient_scope" (using admin user token) ✅ 403 Forbidden (using owner project token)	✅ 403 Forbidden (using owner project token)	✅ 403 Forbidden (using owner project token)	✅ "insufficient_scope" (using project token)
POST /groups/:id/runners/reset_registration_token	✅ "insufficient_scope" (using admin user token) ✅ 403 Forbidden (using owner group token)	✅ 403 Forbidden (using owner group token)	✅ 403 Forbidden (using owner group token)	✅ "insufficient_scope" (using group token)

Closes #460721 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.