Block pipelines on protected branches

Description

As a Developer on a project, I can't push or merge into master (by default), why can I trigger a pipeline on master? If that pipeline includes a deploy, I'd be able to affect production. Sure, I can't affect the code, so I'm likely just re-deploying someone else's legitimate change. If/when we allow passing of variables to manual pipeline runs, I might be able to overwrite someone else's changes.

Proposal

• For protected branches, allow only those "allowed to merge" (Usually Masters, but can be changed) to:
  • run manual pipelines
  • trigger pipelines through API
  • trigger specific pipeline jobs (e.g. through retry)
  • redeploy and rollback (technically retrying a specific job, but presented in the UI as a unique function so mentioning here so the UI is handled properly)
  • and perform manual actions (covered by #20261 (closed), but listed here for completeness)

Links / references

• Related: #24196 (closed)

Documentation blurb

Security is a fundamental part in the development cycle, as this could include deployment to production. In order to allow only authorized people to modify what is released to the public, all the interactions with pipelines run on protected branches must be limited to users that have permissions to modify them. This includes running manual pipelines, triggering pipelines through an API call, retry existing jobs and perform any manual action.