Workflows access to GitLab (long term)

Background

Deep dive into Agent authentication in this issue: https://gitlab.com/gitlab-org/gitlab/-/issues/461239+

Autonomous Agents would require agents to have access that will mirror a user access as it is designed to act on behalf of users and take actions in the platform. As of today there is no mechanism for a bot to mirror users access.

Short term plan is described here: https://gitlab.com/gitlab-org/ai-powered/ai-framework/team-hq/-/issues/51+

This issue is a high-level starting point for the longer-term plan

Proposal

Move to a state in which agent action are done via a different user/"bot" entity that is separate and distinct from the user that triggered the workflow but has the same access as the user within GitLab.

Create a token for that user that has only access to the APIs that the workflow requires. This token can leverage fine-grained access controls for PATs.

None of our existing token types (service accounts, project access tokens) make sense for this so it would probably need to be an entirely new bot user type.