[Spike] Investigate how to use bot user for security policies

Timebox: 3 days

Current scenario

We reverted !105557 (merged) since the security policy bot did not have permission to access registry. Currently, the security scan job is triggered by the user who last updated the policy. This causes permission issue when the user does not have permission to create pipeline. There is already an issue similar to this for scan result policy: #383593 (closed)

Goal

The goal of this spike is to figure out a way to use a bot user with restrictive permissions to create pipeline and approval rules for scan result policies, and based on this prepare issue with implementation plan.

Steps to reproduce the original bug

Set up runners.
Create a project with a working .gitlab-ci.yml file as the development project.
Create another project as the security policies project.
If you are logged in as root pick a different user and add it as owner to both projects
Impersonate the other user
On the development project go to Security and Compliance > Policies.
Select Edit policy project.
Select your security policies project.
Select Save.
Select New Policy.
Select Scan execution policy
Choose a Name.
As Conditions Select IF Schedule actions for the branch main daily at 00:00.
As Actions choose SAST.
Select Configure with a Merge Request.
Merge the new MR
To avoid waiting for the next day until the execution runs
1. Open a rails console
2. Reset the timers by Security::OrchestrationPolicyRuleSchedule.update_all(next_run_at: Time.now - 1.day)
3. Run the schedule worker Security::OrchestrationPolicyRuleScheduleWorker.new.perform
A new pipeline should be started on the development project and the triggerer should be the user that created the scan execution policy.
Stop the user impersonation.
Change the user access for the development prject to Guest
Run the steps to execute the schedule worker again
There should not be a new pipeline in the development project because the user doesn't have access anymore.

Edited Mar 02, 2023 by Andy Schoenen