Add a new permission for the container expiration policy

Summary

Follow-up of !32944 (comment 353901419)

The container expiration policy is currently gated behind the following permission: destroy_container_image which is not explicit.

Looking at the container expiration policy form on the UI (https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/views/projects/settings/ci_cd/show.html.haml#L65), we can see that all the CRUD operations are guard behind the single permission above. In other words, we don't use granular permissions such as read_XXX, create_XXX, update_XXX,...

To make things easier to reason about, introduce a new permission: manage_container_expiration_policy. This new permission should have the same level access as destroy_container_image.

Improvements

• The permission gating the container expiration policy feature is more explicit.

Risks

• If the refactoring is not done correctly, access to the container expiration policy feature could be denied to users.
  • This risk is mitigated by the test suite.

Involved components

• https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/helpers/projects_helper.rb#L747
• https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/graphql/types/container_expiration_policy_type.rb#L9
• All the related tests