## Summary This epic tracks all work related to fixing and extending the security policy bot's permissions to support scheduled pipeline execution policies. The bot currently lacks the necessary access to download artifacts, read CI configs from other projects, and trigger downstream pipelines — making the feature unusable for many real-world use cases. These fixes are required for the **19.0 Experiment** milestone of the parent epic https://gitlab.com/groups/gitlab-org/-/work_items/17875. ## Problem Statement The security policy bot is added as "Guest" to the project being scanned and not added to other projects at all. This causes three related failures: 1. **Artifact download fails** — Jobs in later stages cannot download artifacts from earlier policy jobs due to `403 Forbidden - This action cannot be performed by internal users` 2. **Cross-repo content inaccessible** — Policies referencing CI configs from other projects via `include: project:` fail because the bot has no access to those projects 3. **Downstream pipelines blocked** — Scheduled PEP pipelines cannot trigger downstream/child pipelines due to missing permissions ## Child Issues ### 1. Artifact download between scheduled policy jobs https://gitlab.com/gitlab-org/gitlab/-/work_items/577916 Fix the `403 Forbidden` error when the security policy bot tries to download artifacts from a previous job within the same scheduled pipeline. This issue has a 3-phase implementation plan: - **Phase 1**: Refactor bot permissions to YAML format (https://gitlab.com/gitlab-org/gitlab/-/work_items/594740) - **Phase 2**: Update bot role to minimal access (https://gitlab.com/gitlab-org/gitlab/-/work_items/594741) - **Phase 3**: Grant API access to bot role (https://gitlab.com/gitlab-org/gitlab/-/work_items/594742) ### 2. Bot cannot read content or trigger other repos https://gitlab.com/gitlab-org/gitlab/-/work_items/557301 The bot cannot access `content` from a different project (e.g., CI config stored outside the security policy project) and cannot trigger downstream pipelines. This makes scheduled PEPs unusable with multi-repo or downstream pipeline workflows. ### 3. CI config project owners grant access to policy bots https://gitlab.com/gitlab-org/gitlab/-/work_items/588852 Implement project settings that allow CI config project owners to explicitly grant access to security policy bots for specific CI configuration files. Includes: - `pipeline_execution_policy_bot_access_enabled` toggle - `pipeline_execution_policy_bot_access_file_patterns` for file-level granularity - `pipeline_execution_policy_bot_access_group_id` for group restriction - Feature flag: `pipeline_execution_policy_bot_ci_config_access` ## Acceptance Criteria - [ ] Security policy bot can download artifacts between jobs in scheduled PEP pipelines - [ ] Security policy bot can read CI configs from explicitly authorized external projects - [ ] Security policy bot can trigger downstream/child pipelines from scheduled PEPs - [ ] All permission changes are behind appropriate feature flags - [ ] No regression in existing pipeline execution policy behavior ## Related - Parent Epic: https://gitlab.com/groups/gitlab-org/-/work_items/17875 - Target Milestone: **19.0** (Experiment)