Add ai_workflows scope to Branch API

Eva Kadlecovárequested to merge
574714-allow-ai-workflows-get-branches into master

What does this MR do and why?

Allow access to the ai_workflows OAuth scope for the Branches API.

Previously, this endpoint wasn’t accessible to tokens with the ai_workflows scope, making it impossible for the agent to fetch branches. This MR updates the Branches API to permit read access for ai_workflows tokens, enabling the Duo Agent to correctly fetch or verify branches before committing.

References

AI Gateway MR: gitlab-org/modelops/applied-ml/code-suggestions/ai-assist!3742 (merged)

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. In the rails console of the GDK, create a new OAuth access token with ai_workflows scope.
[1] pry(main)> application = Doorkeeper::Application.create!(
  name: "AI Workflows App",
  redirect_uri: "urn:ietf:wg:oauth:2.0:oob",
  scopes: "ai_workflows",
  owner_id: User.find_by_username("root").id
)
=> #<Doorkeeper::Application:0x00000003301b4d50

[2] Doorkeeper::AccessToken.create!(
  application_id: application.id,
  resource_owner_id: application.owner_id,
  scopes: "ai_workflows",
  expires_in: 1.year.to_i,
  organization_id: Namespace.first.id
).plaintext_token
...
=> "TOKEN"
  1. Send a request with the new token to a relevant endpoint - update your query with your token.
curl --request GET \
  --header "Authorization: Bearer <your_oauth_token>" \
  "http://gdk.test:3000/api/v4/projects/<project_id>/repository/branches/main"
  1. You should see a response containing info about the branch (if it exists).

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #578773 (closed)

Edited by Eva Kadlecová

Merge request reports