Grant API access to security policy bot

What does this MR do and why?

Grant API access to the security policy bot.

Security policy bots need API access to perform operations like downloading artifacts from previous jobs in scheduled pipeline execution policies. Without API access, jobs in later stages cannot download artifacts from earlier policy jobs, resulting in 403 Forbidden - This action cannot be performed by internal users errors.

Background

This is the final part (Phase 3) of a 3-phase implementation to fix artifact download between scheduled policy jobs, as described in epic &21707:

Phase	Issue	Description	Status
1	#594740 (closed)	Refactor security policy bot permissions to use YAML format	✅ Merged
2	#594741 (closed)	Update security policy bot role to minimal access	✅ Merged
3	#594742	Grant API access to security policy bot role	🔄 This MR

Changelog: fixed EE: true

References

• Parent Epic: &21707
• Related Issue: #594742
• Phase 1 MR: !230498 (merged)
• Phase 2 MR: !232174 (closed)

Screenshots or screen recordings

Before	After

How to set up and validate locally

1. Create a new group.
2. Create a new project on the group.
3. Add a CI config file policy-ci.yml:

   stages:
     - build
     - test
   
   create_artifact:
     stage: build
     script:
       - echo "Hello from artifact" > message.txt
     artifacts:
       paths:
         - message.txt
   
   read_artifact:
     stage: test
     script:
       - cat message.txt
     needs:
       - create_artifact

4. Add a .gitlab/security-policies/policy.yml file to the project with content (Replace path/to/project with the path to your project):

   ---
   experiments:
     pipeline_execution_schedule_policy:
       enabled: true
   pipeline_execution_policy: []
   approval_policy: []
   pipeline_execution_schedule_policy:
     - name: test
       description: 
       enabled: true
       pipeline_config_strategy: schedule
       content:
         include:
           - project: path/to/project
             file: policy-ci.yml
       schedules:
         - type: daily
           start_time: 10:00
           time_window:
             value: 600
             distribution: random

5. Go back to the group page and on the left sidebar, select Secure and Policies.
6. Select Edit policy project and select your project. Then select Save.
7. Create another project in the group to test the pipeline.
8. Copy the project ID
9. Start the schedule worker manually to trigger the schedule (replace YOUR_PROJECT_ID with the id of your project)

   project_id = YOUR_PROJECT_ID
   schedule = Security::PipelineExecutionProjectSchedule.find_by_project_id(project_id)
   Security::PipelineExecutionPolicies::RunScheduleWorker.new.perform(schedule.id)

10. Go to Build -> Pipelines in your project and wait for the scheduled pipeline to appear.
11. Verify that the read_artifact job succeeds

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Closes #594742