Activity feed incorrectly attributes MR updates to human user instead of service account when using composite identity
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem Statement
When using composite identity tokens for merge request API operations, the initial MR creation correctly attributes the action to the service account. However, subsequent MR updates generate activity feed entries that incorrectly reference the human user instead of the service account.
This inconsistency was identified during work on issue #554148. While MR creation doesn't generate an activity feed entry, any updates to the MR do, and these updates are being attributed to the wrong user.
This is a known limitation from the original composite identity implementation in !204010 (merged), where attribution was fixed for the most common use cases but not all scenarios due to time constraints.
Desired Outcome
Activity feed entries for MR updates should consistently attribute actions to the service account when composite identity tokens are used, matching the behavior of the initial MR creation.
The fix should follow the same pattern established in !204010 (merged) for handling composite identity attribution in other use cases.