Skip to content

Add cron worker to cleanup orphaned security policy bots

Andy Schoenenrequested to merge
545917-clean-up-security-policy-bot-worker into master

What does this MR do and why?

Adds a scheduled job to identify and delete security policy bot users that are no longer associated with any projects. This addresses the accumulation of orphaned bot accounts that remain after projects are deleted or security policies are removed.

The worker:

  • Runs hourly to check for security policy bots without project memberships
  • Excludes bots with existing ghost user migrations to avoid conflicts
  • Processes up to 1000 users per execution

How to set up and validate locally

  1. Enable the feature 
    Feature.enable(:security_policy_bot_cleanup_cron_worker)
  2. Create a project
  3. Find the ID of your project and create a security policy bot for it via Rails console: 
    Security::Orchestration::CreateBotService.new(Project.find(YOUR_PROJECT_ID), User.first).execute
  4. On the left sidebar select Manage -> Members and select the GitLab Security Policy Bot (keep the page open to verify the user was deleted later)
  5. Delete the project
  6. Execute the cron worker: 
    Users::SecurityPolicyBotCleanupCronWorker.new.perform
  7. Reload the GitLab Security Policy Bot page. The user should now be blocked

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #545917 (closed)

Edited by Andy Schoenen

Merge request reports