Enable SPP for all projects in a group via a new API endpoint
### Problem
Today, push protection can only be enabled on a project-by-project basis. SPP cannot be combined with a security policy to enable the feature at scale. Customers need a way to enable SPP on multiple projects at a time in order to apply this control across their organization.
### Overview
As part of our efforts to [enable adoption of the Secret Push Protection feature at scale](https://gitlab.com/groups/gitlab-org/-/epics/15755 "Secret Push Protection – Enable Adoption at Scale"), we have decided to provide a new API that give customers the ability to enable/disable the feature for all projects in a group, including projects in nested groups as well.
This iterates on [existing configuration options](https://gitlab.com/groups/gitlab-org/-/epics/15755#overview "Secret Push Protection – Enable Adoption at Scale") which is being enhanced in https://gitlab.com/groups/gitlab-org/-/epics/15753 to ensure customers have some granular control over enabling the feature (this epic), while also having the ability to enable the feature for all projects in their instance.
### Proposal
Below is an updated proposal based on the refinement of issues in this epic:
* [Build a background job to enable the feature for all projects across an entire group](https://gitlab.com/gitlab-org/gitlab/-/issues/502826 "Add background job to enable SPP for all projects across an entire group").
* [Add REST API endpoint to enqueue the background job when called](https://gitlab.com/gitlab-org/gitlab/-/issues/502827 "Add REST API endpoint to enqueue the background job to enable SPP for all projects in group").
* [Add GraphQL mutation to, similarly, enqueue the same background job](https://gitlab.com/gitlab-org/gitlab/-/issues/502828 "Add GraphQL mutation to enqueue the background job to enable SPP for all projects in group").
* [Add audit event when SPP is enabled/disabled for a group via API](https://gitlab.com/gitlab-org/gitlab/-/issues/502829 "Add audit event when SPP is enabled/disabled for a group via API").
## Scope/Requirements
### MVC
* Group owners can use the API to enable secret push protection for all projects in the groups they own
* Group owners can pass group IDs as a parameter to enable SPP on multiple groups with the same API call
* REST support
### Nice-to-Have
* GraphQL support
* Audit events
## Considerations
* Add documentation for this where applicable.
* We should add alerting in the event the worker is down, also consider adding this to a group's error budget.
* Is REST or GraphQL used more often by customers?
epic