Use new rules instead of admin_group in controller

app/controllers/groups/application_controller.rb

@@ -37,6 +37,18 @@ class Groups::ApplicationController < ApplicationController
     end
   end
 
+  def authorize_admin_group_runners!
+    unless can?(current_user, :admin_group_runners, group)
+      render_404
+    end
+  end
+
+  def authorize_read_group_runners!
+    unless can?(current_user, :read_group_runners, group)
+      render_404
+    end
+  end
+
   def authorize_create_deploy_token!
     unless can?(current_user, :create_deploy_token, group)
       render_404

app/controllers/groups/runners_controller.rb

 # frozen_string_literal: true
 
 class Groups::RunnersController < Groups::ApplicationController
-  # TODO Proper policies, such as `read_group_runners, should be implemented per
-  # https://gitlab.com/gitlab-org/gitlab/-/issues/334802
-  before_action :authorize_admin_group!
+  before_action :authorize_read_group_runners!, only: [:index, :show]
+  before_action :authorize_admin_group_runners!, only: [:edit, :update, :destroy, :pause, :resume]
   before_action :runner_list_group_view_vue_ui_enabled, only: [:index]
   before_action :runner, only: [:edit, :update, :destroy, :pause, :resume, :show]
 
@@ -17,7 +16,7 @@ class Groups::RunnersController < Groups::ApplicationController
   end
 
   def runner_list_group_view_vue_ui_enabled
-    return render_404 unless Feature.enabled?(:runner_list_group_view_vue_ui, group, default_enabled: :yaml)
+    render_404 unless Feature.enabled?(:runner_list_group_view_vue_ui, group, default_enabled: :yaml)
   end
 
   def show