Add GraphQL mutation to enqueue the background job to enable SPP for all projects in group

Overview

After introducing the background job to toggle project-level setting of Secret Push Protection for all projects nested in a group in #502826 (closed), we have to allow security teams to enqueue this background job via some API interface. For this reason, we should introduce a new GraphQL mutation that will accept a group ID and run this background job.

Proposal

Create a new GraphQL mutation to enqueue the background job from #502826 (closed) for all projects nested in a group.

Requirements

The mutation should accept a group ID to run the background job.
The mutation should be idempotent (i.e., it should not enqueue another job while one is already running).
The mutation should only be accessible to group members with maintainer or higher roles.

Implementation plan

Create new mutation ee/app/graphql/mutations/security/ci_configuration/set_group_secret_push_protection.rb and define new arguments
- group_path --> requierd
- enabled --> requierd
- projects_to_exclude --> optional
Add the new mutation in ee/app/graphql/ee/types/mutation_type.rb.
Call the new worker from #502826 (closed) on the resolve function with the latest arguments.
Add unit test for the new arguments and the requirements
Add documentation for the new mutation with examples of the arguments
Add a new changelog entry

Edited Dec 10, 2024 by Miki Amos