Duo Workflow running in CI pipelines should not run on the default branch

Problem

Our initial implementation of Duo Workflow running a pipeline triggers a pipeline to run against the default branch. See https://gitlab.com/gitlab-org/gitlab/-/blob/5a7a4d11a526ed265d47dea881b7819ff1e364d3/ee/app/services/ai/duo_workflows/start_workflow_service.rb#L16 .

But this does not work for users without permission to run pipelines on protected branches. It's common for Developer access to only grant you permission to run pipelines against other branches.

The reason for this is that there are often protected CI variables and protected runners that only run pipelines from the default branch. The default branch. These are security features because there is some degree of trust that the code defined in .gitlab-ci.yml and in the repository on the default branch has been reviewed and merged by a Maintainer.

Solution

We should automatically create a branch to run the workflow in before creating the pipeline. We can give it a name like "duo-workflow/#{workflow.id}".