- Migration updates existing groups to "owner", then sets default to
  "maintainer" so that new groups will default to that
- Update spec examples

This setting is at the group level only. The default is specified to
be maintainers and owners.

**Specs only**, all failing.

Now we have terminals for instance and group clusters we can remove the
FF now. Deploying to group clusters has been working without complaints
too.

Add columns to store project creation settings

Add project creation level column in groups
 and default project creation column in application settings

Remove obsolete line from schema

Update migration with project_creation_level column existence check

Rename migrations to avoid conflicts

Update migration methods

Update migration method

- rewords examples starting with 'should'
- rewords examples starting with 'it'

Note: I had to manually fixup "onlies" to "only"

Chnage method used in model to make it
more efficient database-wise
Add additional spec

Adds `# frozen_string_literal: true` to spec/models ruby files

- Includes instance methods on Group model to detect when a group has
AutoDevOps explicitly/implicitly enabled/disabled.
- Includes migration to add a new column to namespaces table
- Add UI necessary modifications
- Add service and controller to update auto devops
related instances
- Updates project and groups auto devops badges

Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/52447

Currently if a project is inside a nested group and a user doesn't have
specific permissions for that group but does have permissions on a
parent group the `GET /projects/:id` API call will return the following
permissions:

```json
permissions: { project_access: null, group_access: null }
```

It could also happen that the group specific permissions are of lower
level than the ones the user has in parent groups. This patch makes it
so that the permission returned for `group_access` is the highest from
amongst the hierarchy, which is (ostensibly) the information that the
API user is interested in for that field.

It gathers list of file paths to delete before destroying
the parent object. Then after the parent_object is destroyed
these paths are scheduled for deletion asynchronously.

Carrierwave needed associated model for deleting upload file.
To avoid this requirement, simple Fog/File layer is used directly
for file deletion, this allows us to use just a simple list of paths.

Resolve "Can add an existing group member into a group project with new permissions but permissions are not overridden"

With this MR, group clusters is now functional, so default to enabled.

Have a single setting on the root ancestor group to enabled or disable
group clusters feature as a whole

Even though we currently only should have one group for a cluster, we
allow the flexibility to associate to other groups in the future.

This also matches the runner <=> groups association.

- Adds Cluster#first_group, aliased to Cluster#group. For the
conceivable future, a cluster will have at most one group.

- Prevent mixing of group and project clusters. If project type
clusters, it should only have projects assigned.  Similarly with groups.

- Default cluster_type to :project_type. As it's very small table we can
set default and null: false in one release.

ObjectStore uploader requires presence of associated `uploads` record
when deleting the upload file (through the carrierwave's after_commit
hook) because we keep info whether file is LOCAL or REMOTE in `upload`
object.

For this reason we can not destroy uploads as "dependent: :destroy" hook
because these would be deleted too soon. Instead we rely on
carrierwave's hook to destroy `uploads` in after_commit hook.

But in before_destroy hook we still have to delete not-mounted uploads
(which don't use carrierwave's destroy hook). This has to be done in
before_Destroy instead of after_commit because `FileUpload` requires
existence of model's object on destroy action.

This is not ideal state of things, in a next step we should investigate
how to unify model dependencies so we can use same workflow for all
uploads.

Related to #45425

Fix using wildcards in protected tags to expose protected variables

The following optimizations were performed:

- Add new association to GroupMember and ProjectMember

  This new association will allow us to check if a user is a member of a
  Project or Group through a single query instead of two.

- Optimize retrieving of Members when adding multiple Users