Prevent adding item consumers to non-top-level groups
What does this MR do and why?
We have decided to prevent allowing item consumers to be created for groups that aren't the top level group. Originally enabling in the group would mean the item is enabled for all projects. Since we now require an item to be enabled in the top-level group first (in order to create a service account), we won't be automatically enabling the item in all projects. So enabling outside of the top-level group no longer makes sense.
This MR prevents enabling items (i.e. creating an item consumer) in non top-level groups.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
-
Enable the
global_ai_catalogandai_catalog_flowsfeature flags -
Create a flow
mutation {
aiCatalogFlowCreate(
input: {name: "New Flow", description: "Test flow", projectId: "gid://gitlab/Project/<PROJECT ID>", public: true, definition: "version: v1\nenvironment: ambient\ncomponents:\n - name: main_agent\n type: AgentComponent\n prompt_id: test_prompt\nrouters: []\nflow:\n entry_point: main_agent" }
) {
errors
item {
id
}
}
}- Add that flow to a top-level group:
mutation {
aiCatalogItemConsumerCreate(
input: {itemId: "gid://gitlab/Ai::Catalog::Item/<FLOW ID>", target: {groupID: "gid://gitlab/Group/<TOP LEVEL GROUP ID>"} }
) {
itemConsumer {
id
serviceAccount { id username }
}
errors
}
}- Create a sub group, and try adding it to that group instead:
mutation {
aiCatalogItemConsumerCreate(
input: {itemId: "gid://gitlab/Ai::Catalog::Item/<FLOW ID>", target: {groupID: "gid://gitlab/Group/<CHILD GROUP ID>"} }
) {
itemConsumer {
id
serviceAccount { id username }
}
errors
}
}This should fail with the error "Item can only be enabled in projects or top-level groups"
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #579803 (closed)