Updates codepaths so new rows in duo_workflows_workflows table are created with valid service_account_id values

Shola Quadrirequested to merge
584271/sq/update-codepaths-with-service-acct-values into master

What does this MR do and why?

This MR is part 3 (of 4) of the solution that addresses #584271 (closed).

In this other recent MR, we added a new service_account_id column to the duo_workflows_workflows table to store the service account ID for individual workflows. This service account will be used to author system notes that display agent activity.

This MR updates the duo_workflows code paths so that new roles in the duo_workflows_workflows table are created with valid service_account_id values.

For more context, see comment.

How to set up and validate locally

Prerequisites

  • An active Ultimate license.
  • Duo Enterprise subscription configured: bundle exec 'rake gitlab:duo:setup[duo_enterprise]'
  • Remote Flows configured locally. Follow these steps to set up and configure.

Once the correct license and Remote Flows have been set up locally, follow the validation steps below.

Validation Steps

Setup: Navigate to an issue in the UI (e.g., http://gdk.test:3000/gitlab-duo/test/-/issues and select any issue)

On master branch:

  1. Click the Generate MR with Duo button to trigger the developer/v1 workflow
  2. Find an MR with a broken pipeline and click Fix pipeline with Duo button to trigger the fix_pipeline/v1 workflow
  3. Find an MR and request for code review from @GitLabDuo to trigger the code_review/v1 workflow
  4. In Rails console (gdk rails c), run:
    • Ai::DuoWorkflows::Workflow.where("workflow_definition LIKE ?", "%/v1").order(created_at: :desc).limit(10).pluck(:id, :service_account_id, :workflow_definition, :created_at)
    • Verify that service_account_id is nil for the most recent workflow(s). See screenshot below

On this branch:

  1. Foundational Flows and Code Review:

    1. Repeat steps 1-4 above
    2. Verify that service_account_id is a non-nil value for the most recent workflow(s). See screenshot section.

  2. Foundational Flows (API)

curl --location 'http://172.16.123.1:3000/api/v4/ai/duo_workflows/workflows' \
    --header 'Content-Type: application/json' \
    --header "PRIVATE-TOKEN: <PAT_TOKEN>" \
    --data '{
        "project_id": "1000000",
        "goal": "http://172.16.123.1:3000/gitlab-duo/test/-/pipelines/628", # REPLACE WITH YOUR URL (SAME WITH MR URL IN ADDITIONAL_CONTEXT)
        "workflow_definition": "fix_pipeline/v1",
        "agent_privileges": [1,2,3,4,5],
        "pre_approved_agent_privileges": [1,2,3,4,5],
        "start_workflow": true,
        "source_branch": "add-capwords",
        "additional_context": [{"Category": "merge_request", "Content": "{\"url\": \"http://172.16.123.1:3000/gitlab-duo/test/-/merge_requests/98\"}"}, {"Category": "pipeline", "Content": "{\"source_branch\": \"workloads/7172aab6f48\"}"}]
}'
  • Verify service_account_id is populated (See screenshot section.):
Ai::DuoWorkflows::Workflow.order(created_at: :desc).limit(1).pluck(:id, :service_account_id, :workflow_definition, :created_at)
  1. For Remote Flows:
    1. Create a flow definition file in your project (if you don't already have one). Here's what I used (for ease)
mkdir -p .gitlab/duo
cat > .gitlab/duo/flow.yml << 'EOF'
image: ruby:3.0
commands:
  - echo "Remote flow executed"
variables: []
injectGatewayToken: false
EOF
  1. Create a service account and flow trigger in Rails console
proj = Project.find(1000000)
user = User.find(1)
service_account = User.service_account.first

flow_trigger = Ai::FlowTrigger.create!(
  project: proj,
  user: service_account,
  event_types: [Ai::FlowTrigger::EVENT_TYPES[:mention]],
  description: "Trigger - Test flow",
  config_path: ".gitlab/duo/flow.yml"
)
  1. Trigger the flow in the UI:
  • Navigate to the project and create a new issue
  • Add a comment mentioning the service account: @<service_account_username> can you help debug this method?
  • The flow should trigger automatically
  1. Verify service_account_id is populated (See screenshot section.):
Ai::DuoWorkflows::Workflow.order(created_at: :desc).limit(1).pluck(:id, :service_account_id, :workflow_definition, :created_at)

References

  1. Part 1 MR: Adds Service Account ID column to duo_workflows... (!220828 - merged)
  2. Part 2 MR: Backfills service account id on duo_workflows_w... (!221894 - merged)
  3. Part 3 MR: <--- this MR
  4. Part 4 MR (feature implementation draft): Update flows agent tracking to consumer service... (!220837 - merged)

Screenshots or screen recordings

service_account_id nil value in new rows (master branch validation)

Screenshot_2026-02-04_at_12.59.35

service_account_id non-nil value inclusion in new rows (this branch validation for Foundational Flows and Code Review)

Screenshot_2026-02-05_at_17.13.45

service_account_id non-nil value inclusion in new rows (this branch validation for Remote Flows)

Screenshot_2026-02-05_at_19.50.20

Before After

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Shola Quadri

Merge request reports