[PoC] Duo Workflow in CI should use a Composite Identity

This is part of the iteration plan described in gitlab-com/content-sites/handbook!10875 (closed) .

We should look into the Amazon Q implementation as mentioned there but the main goal here is to have all contributions associated with a specific, new, service account user called (for example) Duo<Something>. This service account should use the new Dynamic scopes to be limited to actions only possible by the user that started the workflow.

Technical Details

Extracted from gitlab-com/content-sites/handbook!10875 (comment 2279782148)

Requirements for composite identity:

• User who creates the pipeline is a service account
• Service account user has the composite_identity_enforced boolean attribute set to true
  • This attribute will automatically make JWT CI job tokens available
• Create an OAuth app that uses dynamic scopes. Example of how we do this for Amazon Q here.
• Manually generate an Oauth grant for the service account + OAuth app. Example of how we do this for Amazon Q here. Ensure that the grant's dynamic scope contains the id of the human user who generated the Workflow.
• Exchange the grant for an Oauth token.
• Use that token to authenticate the API request that generates the pipeline.
• the ci_job_token_jwt feature flag must be enabled for the service account. The initial plan was to roll that out globally but there were problems that may mean this behavior is a breaking change. So for now the feature flag is reqired