Protected containers: Delete protection

Context

This is part of Container Registry: Granular protection for rep... (&9825). See this epic's description for context. Here we'll focus on the described Delete protection.

Change

backend rails

1. Add a new attribute to image repositories on the Rails side (container_repositories table) to denote when they are locked against deletes;
2. Allow frontend calls triggered by project owners/maintainers to toggle the delete protection for individual repositories;
3. When a user requests a JWT token to allow them to delete against a given image repository, Rails should (within the container registry auth service) check if the corresponding repository is locked against deletes and refuse the request if so, effectively protecting the repository and all images within;
4. Refuse frontend/API requests to delete a container repository if deletion protection is turned on for that repository.

frontend UX

1. Create a new project configuration section/setting where users can see the list of container repositories and toggle delete protection for them. Requires UX Design;
2. Allow project owners/maintainers to toggle the delete protection for individual repositories;
3. Display a special label (?) alongside container repositories with delete protection enabled in the repository list view. Requires UX Design.

documentation

1. Make it clear that changes to the delete protection policy will take up to N minutes to come into effect, where N is the configured JWT token expiry.
2. Make it clear that deletion protection does not apply to tag cleanup policies, those act on individual tags, this protection is for the repository as a whole.