Change default of `restrict_user_defined_variables` to `true` behind FF

Related to: #502382

Today restrict_user_defined_variables is set to false by default, meaning that all developers are allowed to pass pipeline variables when creating pipelines. This default setting violates the least privilege principle.

What does this MR do and why?

Set restrict_user_defined_variables to true by default.

Use pipeline_variables_minimum_override_role from the root namespace settings (pipeline_variables_default_role).

Default pipeline_variables_default_role to developer in namespace settings.

Behind an FF change_namespace_default_role_for_pipeline_variables disabled by default:

1. disabled - pipeline_variables_default_role = developer
2. enabled - pipeline_variables_default_role = no_one_allowed

The idea is to:

1. Begin the rollout with the default developer role, enabling both restrict_user_defined_variables and pipeline_variables_minimum_override_role.
2. In later milestones, use namespace migrations to enforce stricter limits, first changing the role to maintainer and eventually to no_one_allowed.

References

Please include cross links to any resources that are relevant to this MR This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

assigned to @dbiryukov

changed milestone to %17.6

added pipelinetier-1 label

added 1 commit

• 9faf84f3 - Move the initialization of defaults to initialize

Compare with previous version

added grouppipeline security label

added devopsgovern sectionsec labels

added backend label

added priority1 label

Proper labels assigned to this merge request. Please ignore me.

@dbiryukov - please see the following guidance and update this merge request.

	1 Error
	Please add typebug typefeature, or typemaintenance label to this merge request.

added security-fix-in-public label

	5 Warnings
	This MR changes code in ee/, but its Changelog commit is missing the EE: true trailer. Consider adding it to your Changelog commits.
	a97a6368: The commit body should not contain more than 72 characters per line. For more information, take a look at our Commit message guidelines.
	890d1785: The commit subject may not be longer than 72 characters. For more information, take a look at our Commit message guidelines.
	5cc271f4: The commit subject may not be longer than 72 characters. For more information, take a look at our Commit message guidelines.
	5cc271f4: The commit subject must not end with a period. For more information, take a look at our Commit message guidelines.

	2 Messages
	This merge request adds or changes documentation files. A review from the Technical Writing team before you merge is recommended. Reviews can happen after you merge.
	config/feature_flags/development/change_namespace_default_role_for_pipeline_variables.yml: Consider filling feature_issue_url:

Documentation review

The following files require a review from a technical writer:

• doc/ci/variables/index.md (Link to current live version)

The review does not need to block merging this merge request. See the:

• Metadata for the *.md files that you've changed. The first few lines of each *.md file identify the stage and group most closely associated with your docs change.
• The Technical Writer assigned for that stage and group.
• Documentation workflows for information on when to assign a merge request for review.

Reviewer roulette

Category	Reviewer	Maintainer
backend	@shubhamkrai (UTC+1, same timezone as author)	@partiaga (UTC+11, 10 hours ahead of author)
database	@irina.bronipolsky (UTC+0, 1 hour behind author)	@ahegyi (UTC+1, same timezone as author)
QA	@svistas (UTC+2, 1 hour ahead of author)	Maintainer review is optional for QA
test for spec/features/*	@shubhamkrai (UTC+1, same timezone as author)	Maintainer review is optional for test for spec/features/*
~"Verify"	Reviewer review is optional for ~"Verify"	@hfyngvason (UTC-5, 6 hours behind author)

Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

added 1 commit

• 163eef81 - Add a feture flag

Compare with previous version

added feature flag label

added 1 commit

• 56cef649 - Add test behind a FF

Compare with previous version

mentioned in merge request !171189 (closed)

changed the description

added 1 commit

• f8f42964 - Update documentation

Compare with previous version

added documentation label