Organizational branch protection

[fwag]

In organizations with a large number of repositories, managing branch protection rules on a per-repository basis is not scalable and can lead to security inconsistencies. This pull request introduces organization-level branch protection rules to address this, allowing administrators to define rules that apply to all repositories within an organization.

To enhance security and ensure consistent policy enforcement, organization-level rules are designed to take precedence over repository-level rules. When determining the effective protection for a branch, the system will first look for a matching rule at the organization level. If one is found, it is applied. If not, it falls back to checking for repository-specific rules.

This change includes:

• Database schema modifications to the protected_branch table to support both owner_id and repo_id, with partial unique indexes to ensure rule name uniqueness at both levels.
• New API endpoints under /orgs/{org}/branch_protections for creating, reading, updating, and deleting organization-level branch protection rules.
• Updated logic to prioritize organization-level rules over repository-level rules during branch protection checks.

As I am not deeply familiar with the Gitea codebase and am relatively new to Go, I would greatly appreciate a thorough community review of these changes.

[AdamMajer]

Seems to be related to part of #34816

[markkrj]

Probably will fall into a limbo, similar to other Gitea "enterprise" features that have pr open for years. One of them was even merged and then reverted. Sad what this project has become.