Use UUIDv7 for Artifact Registry role ids

Diane Russelrequested to merge
dr/uuidv7-role-ids into main

What

Regenerate the four Artifact Registry role ids (roles/artifact_registry/*.yml) as UUIDv7. They were UUIDv4.

Why

IAM's Relationships API validates Role.id with a CEL rule requiring a canonical lowercase UUIDv7 (gitlab-org/auth/iamproto/relationships/relationships.proto). Role grants carry these ids, so v4 ids would be rejected at the AR ↔️ IAM boundary. Role ids are owned by glaz-roles (the shared role-permissions library) and mirrored in IAM, so they must satisfy that contract.

Safety

Safe to re-mint: the AR ↔️ IAM ↔️ GLAZ integration isn't live yet, so no stored relationship tuples reference these ids.

Notes

  • The glaz-roles tests assert role ids are distinct (not specific values), so no test changes are needed here.
  • org_owner's id (added on the stacked dr/effective-permissions-check / !37) is generated as v7 there.
  • The stacked MRs (!20, !37) will pick up these ids on rebase; !20's resolver test constants get updated to the new ids then.

🤖 Generated with Claude Code

Merge request reports