Allow ai_workflows to create an MR
What does this MR do and why?
The Duo Workflow Executor uses an oauth token with the scope ai_workflows, which is created in the Rails backend.
An ai_workflows scoped token currently does not have access to create Merge Requests via the Rails API (reference). We need this permission to allow Duo Workflow to open an MR (link to issue).
This MR adds the permission for the ai_workflows scoped token to create an MR.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Create a new oauth token in the Rails console:
[1] pry(main)> token = ::Ai::DuoWorkflows::CreateOauthAccessTokenService.new(current_user: User.first, organization: Organizations::Organization.first).execute[:oauth_access_token]
...
=> #<OauthAccessToken:0x000000032605df38
id: 129,
resource_owner_id: 1,
application_id: 1,
token: "[FILTERED]",
refresh_token: nil,
expires_in: 7200,
revoked_at: nil,
created_at: Fri, 02 May 2025 20:24:38.636428000 UTC +00:00,
scopes: "ai_workflows",
organization_id: 1>
[2] pry(main)> token.plaintext_token
=> "OAUTH_TOKEN"- Create an MR for a given project ID, with the above token:
curl --location 'gdk.test:3000/api/v4/projects/<PROJECT_ID>/merge_requests' \
--header 'Authorization: Bearer OAUTH_TOKEN' \
--form 'title="Test Branch Title"' \
--form 'source_branch="name-of-new-branch"' \
--form 'target_branch="master"'-
Confirm new MR exists in your GDK browser at that project page.
-
When done, revoke token:
[3] pry(main)> token.revokeMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Roman Eisner