graphql: Add mutation to delete custom attributes from projects

What does this MR do and why?

Introduces a new GraphQL mutation projectCustomAttributeDelete for deleting custom attributes associated with projects. This functionality is restricted to admin users to ensure proper access control.

Technical changes:

• Created Mutations::Projects::CustomAttributes::Delete class with resolve method to handle deletion logic
• Added CustomAttributeType in Types::Projects namespace for returning deleted attribute data
• Updated MutationType to mount the new delete mutation (experimental, milestone 18.8)
• Added read_custom_attribute and update_custom_attribute to BasePolicy admin rule (required for GraphQL field-level authorization)
• Added comprehensive tests for various scenarios including authorization checks and attribute existence

Note on BasePolicy change:

GraphQL field-level authorization checks abilities against the parent object (e.g., Project), not globally. The existing REST API uses authorize! :read_custom_attribute without a subject, which defaults to :global and uses GlobalPolicy. By defining these abilities in BasePolicy, they work correctly for GraphQL mutations against Projects (and future Groups/Users).

This change enhances the GraphQL API by allowing admins to manage custom attributes more effectively.

Changelog: added

🛠️ with ❤️ at Siemens

References

• Related issue: #349396

Screenshots or screen recordings

Not applicable - API-only change

How to set up and validate locally

• Ensure you have admin privileges in your local GitLab instance
• Create a project with custom attributes via REST API or Rails console:

  project = Project.find_by_full_path('your/project')
  project.custom_attributes.create!(key: 'test_key', value: 'test_value')

• Test the DELETE mutation via GraphQL Explorer or curl:

  mutation {
    projectCustomAttributeDelete(input: {
      projectPath: "your/project"
      key: "test_key"
    }) {
      customAttribute {
        key
        value
      }
      errors
    }
  }

• Verify the custom attribute is deleted
• Verify non-admin users receive authorization errors

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

• Changelog entry added, if necessary
• Documentation created/updated via this MR
• Documentation reviewed by technical writer or follow-up review issue created
• Tests added for this feature/bug
• Tested in all supported browsers
• Conforms to the code review guidelines
• Conforms to the style guides
• Conforms to the javascript style guides
• Conforms to the database guides
• Conforms to the merge request performance guidelines
• Admin-only authorization properly enforced
• GraphQL mutation follows GitLab conventions