Scheduled pipeline execution policy bot cannot read content or trigger other repos

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

I'm evaluating scheduled pipeline execution policies (&14147 (closed)) as an approach for a customer that needs to trigger complex deployment pipelines for DAST (the nature of their pipelines, which involve multiple downstreams, makes it infeasible to use a scan execution policy). A normal PEP works fine, but I have not been able to get a scheduled PEP to work. There are two related reasons:

• Pipeline execution policies have content which potentially comes from a different project from the policy itself (in fact, that's how the main PEP documentation shows it being used). I have not been able to figure out a configuration where that doesn't lead to failure to build the pipeline due to "not found or access denied" on the project containing the content. You can work around this by putting the content pipeline in the security policy project itself.
• Once you work around the former, the pipelines created by the scheduled PEP always fail to trigger downstream pipelines with "no permissions to trigger downstream pipeline"

Both of these issues appear to be a result of the policy bot's permissions; it seems that it is added as "Guest" to the project being scanned and not added to other projects at all.

I believe that this makes the current scheduled PEP implementation unusable with pipelines that use downstream pipelines.

This is definitely related to #551958 but I felt that the issue and implications were different enough that it was worth a separate issue.