Add GraphQL mutation to assign Artifact Registry roles

What does this MR do and why?

Adds an EE GraphQL mutation, artifactRegistryRoleAssign, that lets an organization owner assign one of the four Artifact Registry roles (Viewer, Contributor, Manager, Admin) to a user on a resource. It is a thin Rails wrapper over the IAM Relationships API WriteRelationships RPC.

The mutation validates that the caller and the assignee belong to the same organization, mints a short-lived Artifact-Registry-scoped JWT via the Rails token exchange (Authn::TokenExchange::TokenIssuer), and writes the ASSIGNMENT tuple to IAM over gRPC. Authorization of the org owner is performed by the IAM service via the gitlab_organization_role token claim — the wrapper does not duplicate it.

First iteration, behind the default-off artifact_registry_role_assignment feature flag. Deferred to later iterations: resource→organization validation (needs an Artifact Registry lookup), revoke (DeleteRelationships), and multi-organization / current-organization semantics.

Stacked MR

Part of a 3-MR stack — review/merge bottom-up:

1. !241258 (merged) — IAM data access service config + Authn::IamDataAccessService helper (targets master)
2. !241296 (merged) — vendored relationships/update gRPC stubs (targets !241258 (merged)'s branch)
3. This MR — the mutation (targets !241296 (merged)'s branch)

Retarget each MR to master and rebase as the one below it merges.

Before this leaves Draft

• Add granular token authorization (authorize_granular_token) to the mutation. It is currently listed in config/authz/graphql/authorization_todo.txt as a deliberate, temporary deferral.

References

• Task: #602144
• Epic: #22004
• Depends on: !241296 (merged) (gRPC stubs) and !241258 (merged) (data access service config)
• Role UUIDs: gitlab-org/auth/glaz!38 (merged) (AR role ids regenerated as UUIDv7)

Screenshots or screen recordings

Not applicable — backend-only, no UI.

How to set up and validate locally

1. Check out this branch (it includes the config from !241258 (merged) and the gRPC stubs from !241296 (merged) via the stack) and point iam_data_access_service at a running IAM data access service.
2. In the Rails console, enable the flag:

   Feature.enable(:artifact_registry_role_assignment)

3. As an organization owner, run the artifactRegistryRoleAssign mutation with an assignee global ID, a resource UUID, and a role.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist.

🤖 Generated with Claude Code