<!--IssueSummary start--> <details> <summary> Everyone can contribute. [Help move this issue forward](https://handbook.gitlab.com/handbook/marketing/developer-relations/contributor-success/community-contributors-workflows/#contributor-links) while earning points, leveling up and collecting rewards. </summary> - [Label this issue](https://contributors.gitlab.com/manage-issue?action=label&projectId=278964&issueIid=594742) - [Close this issue](https://contributors.gitlab.com/manage-issue?action=close&projectId=278964&issueIid=594742) </details> <!--IssueSummary end--> ## Overview Grant API access to the security policy bot role once the bot has been migrated to use minimal access permissions. This ensures the bot can perform necessary API operations while maintaining a minimal security footprint. ## Background Security policy bots currently have limited API access due to their guest role. Once we migrate bots to use a minimal access role (see [#594741](https://gitlab.com/gitlab-org/gitlab/-/work_items/594741)), we can confidently grant API access because we will have validated that the bot only has the permissions it needs to execute its core tasks. This approach provides better security by: - Reducing the bot's overall permission surface - Ensuring the bot only has access to what it actually needs - Making it easier to audit and understand bot capabilities ## What needs to be done 1. **Wait for minimal access migration** to complete ([#594741](https://gitlab.com/gitlab-org/gitlab/-/work_items/594741)) - Ensure bots are created with minimal access role - Verify all required permissions are identified and documented 2. **Add API access permissions** to the `security_policy_bot` role - Update the YAML role definition (from [#594740](https://gitlab.com/gitlab-org/gitlab/-/work_items/594740)) - Include necessary API permissions for bot functionality - Document which API endpoints the bot needs access to 3. **Test API access** in the minimal access context - Verify the bot can perform required API operations - Ensure no additional permissions are needed - Test in both new and existing environments 4. **Update documentation** if needed - Document the API capabilities of the security policy bot - Update any relevant guides or references ## Dependencies This task is **blocked by**: - [#594741](https://gitlab.com/gitlab-org/gitlab/-/work_items/594741) - Update security policy bot role to minimal access - [#594740](https://gitlab.com/gitlab-org/gitlab/-/work_items/594740) - Refactor security policy bot permissions to use YAML format ## Related work - Parent issue: [#577916](https://gitlab.com/gitlab-org/gitlab/-/work_items/577916) - Scheduled pipeline execution policy job fails to download artifacts from a previous job ## Acceptance criteria - [ ] Minimal access migration ([#594741](https://gitlab.com/gitlab-org/gitlab/-/work_items/594741)) is complete - [ ] API access permissions added to `security_policy_bot` role - [ ] API endpoints required by the bot are documented - [ ] Testing confirms bot can perform necessary API operations - [ ] No additional permissions are needed beyond minimal access - [ ] All tests pass - [ ] Documentation updated