Skip to content

Workflows access to GitLab (short term)

Background

Deep dive into Agent authentication in this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/461239+

Autonomous Agents would require agents to have access that will mirror a user access as it is designed to act on behalf of users and take actions in the platform. As of today there is no mechanism for a bot to mirror users access.

Proposal

Our goal is to enable Duo workflows to act in GitLab to achieve goals and to answer tasks from our users, we would need to be able to tell the difference between a bot and a person.

Short term proposal (this issue)

Use user tokens with a specific scope and audit events around usage of these tokens so that we know which actions were taken by the Agent even though the action will appear to be from the user.

It is also important that this scope does not allow full API access so we can avoid any destructive actions that a user would be able to take with an API token but we would want to prevent a Workflow from being able to take. For example, we probably don't want to allow Workflows to delete projects.

To do this, we will:

  • Add a new token scope called ai_workflows. Example of an MR that adds a new scope.
    • This scope should be available to GitLab.com and SM instances.
    • This scope should only be used by OAuth clients, it wouldn't make sense to create a Personal Access Token with this scope because the scope should be used by Duo Workflows only.
  • Certain GitLab API endpoints will allow access with the ai_workflows scope but it should be a subset of the api scope. In other words, this scope by default does not allow access to anything and we will opt API endpoints into allowing the scope one-by-one.
  • This token scope will only be given to tokens that are generated with a specific OAuth client so the scope should not be shown as an option for general Personal Access Tokens or regular OAuth apps.
  • Not implemented for now due to early experimental phase: When actions are taken by a token with the ai_workflows scope, an audit event is emitted. Similar to how we audit impersonation actions.

Long term proposal (#468370)

Move to a state in which agent action are done via a different user/"bot" entity that is separate and distinct from the user that triggered the workflow but has the same access as the user within GitLab.

Edited by Sebastian Rehm