Add foundational Flows to group by default with correct service account

Problem

With Agent Identity for the Duo Agent Platform (&19478) being implemented we still have to agree on how to treat our foundational flows (GitLab provided default flows) and iterate them towards the new Agent Identity implementation.

Old state:

  1. Instance level setting "Turn on Duo Agent Platform"
    1. Creates instance level Duo Developer service account
  2. Cascading setting Allow flow execution
    1. If enabled, for the project buttons for Issue-to-mr/fix-pipeline are shown.
  3. Feature flag for composite identity
    1. If enabled, Duo Developer service account composite identity is used for any flow.
    2. If feature flag for composite identity is turned on it is used with the Duo Developer service account
    3. If the Duo Developer account is not already added to the project it automatically will be as part of executing the flow.

Desired Outcome

  1. Composite identity generally needs to be used by default for any agent/flow executed in CI
  2. We need to move towards using Top-level-groups on .com also for foundational flows to limit the potential for token theft and cross-top-level group access.
  3. Foundational flows are enabled by default for an org or individual project.
  4. Foundational flows should otherwise work as much as possible as any custom flow

Suggested first iteration

Suggestion based on &19478 being implemented right now.

  1. Synchronize foundational flows to the catalog to be able to enable them (syncing taken care of by #580313 (closed))
  2. Re-use existing flow execution setting
  3. Add additional Foundational Flows setting
  4. When the flow is interacted with:
    1. Add the flow and service account to all projects that the setting is activated on.
    2. Create default triggers for the foundational flows.
  5. Remove the current setting/button that is used for instance wide onboarding of composite-identity.

This would generally keep similar behavior to what we have now, while also integrating with the catalog.

Further Links

Decision Record

Edited by Sebastian Rehm