Automatically grant access to SPP after creating a scheduled PEP

Why are we doing this work

When a scheduled pipeline execution policy is created, we should automatically enable the setting to grant access to PEP configs automatically so that a policy bot can actually run the pipeline.

CleanShot_2025-04-09_at_14.48.30_2x

The security policy bot user doesn't have access to the linked policy configuration by default. We have to guide the users to store the configurations in the security policy project and this setting needs to be enabled for the pipelines to work.

This would simplify the adoption if we automated this step for the users.

We can't expect new users to know how to fix access errors for their first policy and it's something we should be able to configure automatically for them. Additionally, we should make it visible that they still need to make sure to store their policy CI YAML in the SPP.

Relevant links

Non-functional requirements

  • Documentation:
  • Feature flag:
  • Performance:
  • Testing:

Implementation plan

diff --git a/ee/app/workers/security/update_spp_repository_pipeline_access_worker.rb b/ee/app/workers/security/update_spp_repository_pipeline_access_worker.rb
new file mode 100644
index 000000000000..d073576825d3
--- /dev/null
+++ b/ee/app/workers/security/update_spp_repository_pipeline_access_worker.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Security
+  class UpdateSppRepositoryPipelineAccessWorker
+    include Gitlab::EventStore::Subscriber
+
+    data_consistency :sticky
+
+    deduplicate :until_executing, including_scheduled: true
+    idempotent!
+
+    feature_category :security_policy_management
+
+    def handle_event(event)
+      security_policy_id = event.data[:security_policy_id]
+      policy = Security::Policy.find_by_id(security_policy_id) || return
+
+      if policy.content[:include].first[:project] == policy.security_orchestration_policy_configuration.project.full_path
+        policy.security_orchestration_policy_configuration.project.update!(spp_repository_pipeline_access: true)
+      end
+    end
+  end
+end
diff --git a/ee/lib/ee/gitlab/event_store.rb b/ee/lib/ee/gitlab/event_store.rb
index 9b04644ab9b5..657a9bdd0588 100644
--- a/ee/lib/ee/gitlab/event_store.rb
+++ b/ee/lib/ee/gitlab/event_store.rb
@@ -97,6 +97,9 @@ def register_security_policy_subscribers(store)
           store.subscribe ::Security::SyncPolicyWorker, to: ::Security::PolicyDeletedEvent
           store.subscribe ::Security::SyncPolicyWorker, to: ::Security::PolicyUpdatedEvent
 
+          store.subscribe ::Security::UpdateSppRepositoryPipelineAccessWorker, to: ::Security::PolicyCreatedEvent
+          store.subscribe ::Security::UpdateSppRepositoryPipelineAccessWorker, to: ::Security::PolicyUpdatedEvent
+
           store.subscribe ::Security::SyncPolicyEventWorker, to: ::Repositories::ProtectedBranchCreatedEvent
           store.subscribe ::Security::SyncPolicyEventWorker, to: ::Repositories::ProtectedBranchDestroyedEvent
           store.subscribe ::Security::SyncPolicyEventWorker, to: ::Repositories::DefaultBranchChangedEvent

Verification steps

Edited by Andy Schoenen