Allow owner project to always be on latest version of flow/agent

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

About

AI agent and flow versioning (gitlab-org#20022) epic has delivered the start of versioning where enabled flows/agents are always version pinned when enabled:

When top-level group enables an item, it is pinned to its latest released version
When the group's project enables the item, it is pinned to whatever the top-level group pin is

Problem

The project that owns the flow/agent can make edits to it, but cannot use the version of their own flow/agent they just updated.

They can trust these edits to the flow/agent because they can trust themselves (so no need to pin their version for security reasons).

Proposal

As part of minimal versioning, the project that owns the flow/agent will not be version pinned when they enable the agent/flow. (Technically: give them a nil value for the pinned_version_prefix. This will mean we will always resolve their version pin to the latest released version).

All others will continue to be version pinned as normal.

Technical proposal

The backend change to enable this feature would be quite small:

Click to see proposed backend diff

diff --git a/ee/app/services/ai/catalog/item_consumers/create_service.rb b/ee/app/services/ai/catalog/item_consumers/create_service.rb
index 05b7ab553905..cb0ded54b97f 100644
--- a/ee/app/services/ai/catalog/item_consumers/create_service.rb
+++ b/ee/app/services/ai/catalog/item_consumers/create_service.rb
@@ -38,7 +38,7 @@ def execute
           return error_not_project_or_top_level_group unless for_project_or_top_level_group?
           return error_no_permissions unless allowed?
           return error_parent_item_consumer_not_passed if project_item_without_parent_item_consumer?
-          return error_no_pinned_version_prefix if pinned_version_prefix.nil?
+          return error_no_pinned_version_prefix if pinned_version_prefix.nil? && !nil_version_pin_allowed?

           error_flow_triggers_must_be_for_project if flow_triggers_not_for_project?
         end
@@ -63,6 +63,13 @@ def requires_parent_item_consumer?
           item.agent? && ai_catalog_agents_enabled?
         end

+        # A nil version pin is allowed only for project owners of the item.
+        def nil_version_pin_allowed?
+          container.is_a?(Project) && container == item.project
+        end
+
         def project_item_without_parent_item_consumer?
           requires_parent_item_consumer? && parent_item_consumer.nil?
         end
@@ -158,6 +165,7 @@ def item
         end

         def pinned_version_prefix
+          return if nil_version_pin_allowed?
           return parent_item_consumer.pinned_version_prefix if requires_parent_item_consumer?

           latest_released_version = item.latest_released_version

Edited Dec 12, 2025 by 🤖 GitLab Bot 🤖