## Overview Update the security policy bot creation logic to use a minimal access role instead of the guest role. This change will be implemented behind a feature flag to allow testing and validation of the minimal permissions needed for the bot to function correctly. ## Background Currently, security policy bots are created with guest role access. This provides more permissions than necessary and increases the security surface. By moving to a minimal access role, we can reduce the bot's permissions to only what is required for its core functionality. ## What needs to be done 1. **Implement minimal access bot creation** in [`CreateBotService`](https://gitlab.com/gitlab-org/gitlab/-/blob/aa99e4155fb1056a6da1f7e3079b21dc0c2a83bd/ee/app/services/security/orchestration/create_bot_service.rb#L37-41) - Add a feature flag `security_policy_bot_minimal_access` to control the behavior - When enabled, create bots with minimal access instead of guest role - Maintain backward compatibility by defaulting to guest role when flag is disabled 2. **Determine required permissions** through testing - Enable the feature flag in test environments - Identify which permissions from the guest role are actually needed - Document the minimal set of permissions required for bot functionality 3. **Create the minimal access role** (in coordination with [#594740](https://gitlab.com/gitlab-org/gitlab/-/work_items/594740)) - Define a `security_policy_bot` role in YAML format with only necessary permissions - Ensure the role includes all permissions identified in step 2 ## Implementation details The change should be made in the `CreateBotService` around lines 37-41: ```ruby # Current behavior (guest role) # New behavior (behind feature flag) if Feature.enabled?(:security_policy_bot_minimal_access) # Create bot with minimal access role else # Create bot with guest role (current behavior) end ``` ## Related work - Blocking task: [#594740](https://gitlab.com/gitlab-org/gitlab/-/work_items/594740) - Refactor security policy bot permissions to use YAML format - Related task: [#594742](https://gitlab.com/gitlab-org/gitlab/-/work_items/594742) - Grant API access to security policy bot role - Parent issue: [#577916](https://gitlab.com/gitlab-org/gitlab/-/work_items/577916) - Scheduled pipeline execution policy job fails to download artifacts from a previous job ## Acceptance criteria - [ ] Feature flag `security_policy_bot_minimal_access` implemented - [ ] Bot creation logic updated to use minimal access when flag is enabled - [ ] Backward compatibility maintained (defaults to guest role when flag is disabled) - [ ] Testing performed to identify required permissions - [ ] Documentation of minimal permissions created - [ ] All tests pass