## Overview Refactor all security policy bot authorization policies to use the new YAML format for role definitions. This aligns with the new authorization framework and makes permissions more maintainable and transparent. ## Background We introduced a new YAML-based format for defining authorization roles (see [security_manager.yml](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/authz/roles/security_manager.yml) as an example). This format provides a cleaner, more declarative way to define permissions compared to the previous Ruby-based policy classes. ## What needs to be done 1. **Create a new YAML file** for the `security_policy_bot` role at `config/authz/roles/security_policy_bot.yml` - Define all permissions currently granted to the security policy bot - Follow the same structure as existing role files (e.g., `security_manager.yml`) 2. **Refactor existing security policy bot authorization policies** to use the new YAML format - Identify all Ruby policy classes that define security policy bot permissions - Migrate permissions to the YAML role definition - Remove or update the Ruby policy classes as needed 3. **Ensure backward compatibility** during the transition - Verify that all existing permissions are preserved - Test that the bot continues to function correctly with the new authorization model ## Next steps - Related task: [#594741](https://gitlab.com/gitlab-org/gitlab/-/work_items/594741) - Update security policy bot role to minimal access - Parent issue: [#577916](https://gitlab.com/gitlab-org/gitlab/-/work_items/577916) - Scheduled pipeline execution policy job fails to download artifacts from a previous job