Update documentation re: git protocol restriction and CI_JOB_TOKEN

The current documentation notes an exception to the "restrict git
protocol" setting for CI / CD jobs, but does not explain that this
includes all uses of the `CI_JOB_TOKEN` . This change updates the
documentation to more carefully explain the implementation of the CI
carve-out on git protocol restrictions.

doc/administration/settings/visibility_and_access_controls.md

@@ -237,9 +237,8 @@ If only one protocol is enabled:
 GitLab only allows Git actions for the protocols you select.
 
 WARNING:
-GitLab versions [10.7 and later](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18021),
-allow the HTTP(S) protocol for Git clone or fetch requests done by GitLab Runner
-from CI/CD jobs, even if you select **Only SSH**.
+GitLab [10.7 and later](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/18021)
+allows the HTTP(S) protocol for Git clone or fetch requests performed [with GitLab CI/CD job tokens](../../ci/jobs/ci_job_token.md), even if you select **Only SSH**. This is required for GitLab Runner and CI/CD jobs.
 
 ## Customize Git clone URL for HTTP(S)
 

doc/ci/jobs/ci_job_token.md

@@ -182,7 +182,7 @@ in a CI/CD job. For example:
 git clone https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.example.com/<namespace>/<project>
 ```
 
-You can't use a job token to push to a repository, but [issue 389060](https://gitlab.com/gitlab-org/gitlab/-/issues/389060)
+You can use this job token to clone a repository even if the HTTPS protocol is [disabled by group, project, or instance settings](../../administration/settings/visibility_and_access_controls.md#configure-enabled-git-access-protocols). You cannot use a job token to push to a repository, but [issue 389060](https://gitlab.com/gitlab-org/gitlab/-/issues/389060)
 proposes to change this behavior.
 
 ## Limit your project's job token access (deprecated)