Add security policy bot access level

What does this MR do and why?

This introduces a new access level for security policy bot members. It also introduces a new type of member access level.

The new access level should not be selectable by users, but also not be hidden. So that users can see a member has the security policy bot access, but they cannot create or update a member to have security policy bot access. This can only be done by the system when a security policy is added to a project.

The MR changes three things:

1. Introduce the new access level SECURITY_POLICY_BOT.
2. Make sure the access level is visible in the UI but cannot be selected for members.
3. Allow the access level to be used when creating security policy bot members by system.

In the next steps I will

1. Create a data migration to update all existing memberships of security policy bots to have the new access level
2. Base the policy exceptions on the new access level instead of user_type

Why is the new access level needed?

Security policy bots are used to trigger pipelines and should have the minimal permissions to do so. We previously handled this by adding policy exceptions if the user is of type security_policy_bot but it will be easier to handle if there is a dedicated access level for security policy bots.

The new access level will improve:

• Security, by preventing users of security_policy_bot type to get hidden permissions as group or project member
• Performance, because we don't need to look up user_type on the users table and can relay only on the members table
• Quality, because we can enforce validations with a database constraint.

Screenshots or screen recordings

Security policy bot role is displayed in UI

User can't select security policy bot role

How to set up and validate locally

Verify it's not possible to invite users as security policy bot member

1. On any project, open Manage -> Members
2. Select Invite members
3. In the Select role dropdown, it should not be possible to select Security policy bot

Verify security policy bots can not be added via API

1. Find a project and a user that is not already a member of the projct and note the IDs
2. Replace PROJECT_ID, ACCESS_TOKEN and USER_ID run the following command:

curl --location 'http://gdk.test:3000/api/v4/projects/PROJECT_ID/members' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer ACCESS_TOKEN' \
--data '{
    "user_id": USER_ID,
    "access_level": 21
}'

3. This should return a 400 response with body:

{
    "message": {
        "access_level": [
            "is not included in the list"
        ]
    }
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

• I have evaluated the MR acceptance checklist for this MR.

Related to #426271