Document how to protect manual jobs

Description

Teams need to create manual jobs to do things like deployments, or to implement approvals, but it's not obvious how to prevent just anyone from running the action, indicating their approval or actually running the deployment. It's actually possible using protected environments, letting you set the approval list for a job to only be the users associated with that environment, but this needs to be documented better.

Proposal

Add documentation specifically about how to restrict manual jobs, and mention the deploy and approve use cases. To protect a manual job, you need to add the environment key:

deploy_prod:
  stage: deploy
  script:
    - echo "Deploy to production server"
  environment:
    name: production
    url: https://example.com
  when: manual
  only:
  - master

Then, configure the environment as protected and allow maintainers/developers or individual users with at least developer access to click on it:

Approval Jobs

An approval job could be implemented in a similar way, it would have no action itself in its script section, but you could structure your stages/DAG such that the pipeline does not proceed past a point until the manual job with the appropriate environment approval has been run. The documentation update should reference approval jobs by name so it's easy to find the solution for this use case.

Reference

We should also reference the new documentation being written for https://gitlab.com/gitlab-org/gitlab-ee/issues/15632 from here, since some users who protect their manual jobs in this way may also want to protect their pipelines.