Now that we have access to API for managing groups we should automate the method in which we grant sandbox access.

My recommendation would be to use a INFO.yaml type file (through probably not that one) in the relevant ci-management repository for a project to list out the people that have sandbox rights and then have an internal CI job that does the needed invite to the relevant sandbox group.