### Problem description As described in the parent epic https://gitlab.com/groups/gitlab-org/-/epics/8679 Users want to be able to have standardized workflows across teams and projects and leverage protected branches as a way to do this. ### Implementation plan 1. Update `ProtectedBranchPolicy` to handle both projects as well as groups. 1. Create `Groups::ProtectedBranchesController` similar to `Projects::ProtectedBranchesController`. This will be used by frontend to create new protected branches for a group. 1. Update `Groups::Settings::RepositoryController` and create an instance variable like `@protected_branches = @group.protected_branches.order(:name).page(params[:page])`. This will be used by the frontend to list the protected branches on the group settings page. 1. Update the `show` method of `Projects::Settings::RepositoryController` to return `@protected_branches` as well as `@protected_group_branches` where `@protected_group_branches = @project.root_namespace.protected_branches.order(:name).page(params[:page])`. Frontend can use the new variable `@protected_group_branches` to distinguish the protected branches defined at the group level and mark them as locked as per the UI. This should be behind a feature flag. 1. Add these helper methods to the `projects` model so that it can be used at other places. ```ruby def group_protected_branches root_namespace.protected_branches end def all_protected_branches protected_branches + group_protected_branches end ``` 1. Find and update the usage of `project.protected_branches` with `project.all_branches` at the required places in the codebase. This should be behind a feature flag. **Notes:** * The frontend will need to know whether a protected branch was inherited or not (did it come from a parent group?). We can then use that information to disable it at the project level. * The frontend uses patch requests on edit to the [projects protected branches controller](https://gitlab.com/gitlab-org/gitlab/blob/master/app/controllers/projects/protected_branches_controller.rb#L5) using the endpoint generated by `namespace_project_protected_branch_path(@project.namespace, @project, protected_branch)`. We will need to replicate this for groups. * We have a [protected branches REST API](https://docs.gitlab.com/ee/api/protected_branches.html) and [branches REST API](https://docs.gitlab.com/ee/api/branches.html) but no equivalents in GraphQL. Neither is used by the UI. * Do we need to add group-level protected branches to a project's protected branches API and branches API responses? If so we should make sure it as some kind of `inherited` flag or `inherited_from` property. * If the above, we will need to indicate that a protected branch is locked within the project-level APIs as well. Probably with a `locked` flag property.