Add latest changes from gitlab-org/gitlab@16-2-stable-eev16.2.0-rc42

1 files changed, 9 insertions, 3 deletions

diff --git a/lib/gitlab/auth.rb b/lib/gitlab/auth.rb
index 83d94d168a0..1bb92b7fa62 100644
--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
@@ -9,7 +9,8 @@ module Gitlab
     API_SCOPE = :api
     READ_API_SCOPE = :read_api
     READ_USER_SCOPE = :read_user
-    API_SCOPES = [API_SCOPE, READ_API_SCOPE, READ_USER_SCOPE].freeze
+    CREATE_RUNNER_SCOPE = :create_runner
+    API_SCOPES = [API_SCOPE, READ_API_SCOPE, READ_USER_SCOPE, CREATE_RUNNER_SCOPE].freeze
 
     PROFILE_SCOPE = :profile
     EMAIL_SCOPE = :email
@@ -236,6 +237,10 @@ module Gitlab
         user.can?(:read_project, project)
       end
 
+      def bot_user_can_read_project?(user, project)
+        (user.project_bot? || user.security_policy_bot?) && can_read_project?(user, project)
+      end
+
       def valid_oauth_token?(token)
         token && token.accessible? && valid_scoped_token?(token, Doorkeeper.configuration.scopes)
       end
@@ -251,7 +256,8 @@ module Gitlab
           read_registry: [:read_container_image],
           write_registry: [:create_container_image],
           read_repository: [:download_code],
-          write_repository: [:download_code, :push_code]
+          write_repository: [:download_code, :push_code],
+          create_runner: [:create_instance_runner, :create_runner]
         }
 
         scopes.flat_map do |scope|
@@ -316,7 +322,7 @@ module Gitlab
         return unless build.project.builds_enabled?
 
         if build.user
-          return unless build.user.can_log_in_with_non_expired_password? || (build.user.project_bot? && can_read_project?(build.user, build.project))
+          return unless build.user.can_log_in_with_non_expired_password? || bot_user_can_read_project?(build.user, build.project)
 
           # If user is assigned to build, use restricted credentials of user
           Gitlab::Auth::Result.new(build.user, build.project, :build, build_authentication_abilities)