Security policy bot can't be created with email signup restrictions

Summary

Whenever a security policy project is linked to a project, we create a security policy bot user and add it as a guest member to the project. This action is triggered by a user and we use that user account to create the bot user. In some cases, we create bot users async. For example in container scanning.

When the bot is created we assign a randomly generated email to the bot user in ee/app/services/security/orchestration/create_bot_service.rb.

If the GitLab instance has signup restrictions with an email domain allow list, and we don't have a current_user to create the bot, it can't be created. The validation fails with:

Validation failed: Email is not allowed for sign-up. Please use your regular email address. Check with your administrator

Steps to reproduce

  1. Go to Admin -> Settings -> General and expand the Sign-up restrictions section.
  2. Enter @gmail.com in the Sign-up restrictions field and select Save changed
  3. Create a new project
  4. On the rails console, generate a security policy bot for the project: 
    Security::Orchestration::CreateBotService.new(Project.find(YOUR_PROJECT_ID), User.first, skip_authorization: false).execute
  5. The project member returned by the service should not be persisted.

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check 
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)


(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)


(we will only investigate if the tests are passing)

Possible fixes