Restrict runner to protected branch

Description

We need to be able to secure production deployments. One part of that is to be able to restrict runners (that have production access) to only be run for specific branches, which themselves would likely be protected.

Proposal

In runner settings, have ability to specific branch (or regex) to lock a runner to.

Links / references

Part of solution for #23262 (closed)
Related: #17739 (moved)
Simpler MVP proposal: #24196 (closed)

Admin message

Admin message

Restrict runner to protected branch

Description

Proposal

Links / references