Protected packages: Implement deletion protection in GraphQL mutations for UI consistency

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem to solve

Currently, there's an inconsistency between the REST API and UI behavior regarding protected package deletion. While the REST API correctly enforces package deletion protection, the UI does not implement this protection, allowing users to delete protected packages through the UI.

Proposal

Integrate the package deletion protection logic into the following GraphQL mutations that handle package deletion from the UI:

• Mutations::Packages::Destroy
• Mutations::Packages::BulkDestroy
• Mutations::Packages::DestroyFile
• Mutations::Packages::DestroyFiles

This will ensure consistent behavior between the REST API and UI interfaces.

Acceptance Criteria

• Users experience consistent behavior when attempting to delete protected packages, regardless of whether they use the REST API or UI
• Protected packages cannot be deleted through either interface
• All GraphQL mutations properly respect the package protection settings

Links / references

• Parent issue: #516215
• Comment identifying the issue: #516215 (comment 2603510275)
• Feature flag rollout issue: #536438
• MR that integrated package delete protection in the REST API (implementation reference): !179931 (merged)
• MR with container image delete protection implementation (for reference): !183545 (merged)