## Summary After the `scan_execution_policy_variables_override` feature flag (tracked in #591129) is fully rolled out and removed, we should clean up `::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies`. When the feature flag is enabled, the new code path skips `::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies` and instead uses the `variables_override` option for policy jobs to enforce variables. Once the flag is fully enabled and removed, the builder class becomes unnecessary for jobs that have the `variables_override` metadata option. ## Backwards Compatibility For backwards compatibility, we need to keep the builder for SEP jobs that **don't** contain the `variables_override` metadata option. These are jobs that were created before the feature flag was enabled and still rely on the old code path. ## Cleanup Plan To be able to fully remove `::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies`, we need to: 1. **Prepare a Batched Background Migration (BBM)** that updates the build metadata for existing SEP jobs to include the `variables_override` option. - Use `job_source == 'scan_execution_policy'` to identify SEP jobs. - Fetch the policy variables from the linked `Security::Policy` records. - Populate the `variables_override` metadata option for those jobs. 2. **Remove `::Gitlab::Ci::Variables::Builder::ScanExecutionPolicies`** once the BBM has completed and all SEP jobs have been migrated to use `variables_override`. ## Related - Feature flag rollout issue: #591129 - Feature issue: #485051