feat: Add ServiceNow integration

[ConeDjordjic]

Implements #3006

Addresses review feedback from @AleksandarCole:

• Removed the OnIncident trigger (required complex manual Business Rule setup in ServiceNow)
• Removed Basic Auth, OAuth only
• Added GetIncidents action component as a replacement

GetIncidents made the most sense over other options like create change request,
query CMDB items, or manage service catalog requests. Those are more one-off
actions. GetIncidents is more useful as a recurring check that can actually
branch the workflow based on what's going on.

Summary

Adds the ServiceNow integration with:

• Create Incident action: creates incidents via the Table API
• Get Incidents action: queries incidents with filters and routes based on urgency

Authentication is OAuth only. Categories, subcategories, assignment groups,
and users are loaded from the ServiceNow API. Selecting a group filters the
user list. Selecting a category filters the subcategory list.

Output Channels (Get Incidents)

• Clear: no incidents matched the filters
• Low: incidents found, but none are high urgency
• High: at least one high-urgency incident found

Video Demo (updated)

https://www.youtube.com/watch?v=DXuqBVpNBtk

Implementation

Backend (pkg/integrations/servicenow/)

• servicenow.go: integration config and OAuth auth
• create_incident.go: create incident action
• get_incidents.go: query incidents with filters
• client.go: ServiceNow Table API client
• list_resources.go: loads categories, subcategories, groups, and users

Frontend (web_src/src/pages/workflowv2/mappers/servicenow/)

• Action mapper for Create Incident
• Action mapper for Get Incidents with urgency-based state coloring

[AleksandarCole]

@ConeDjordjic quick summary of what we discussed:

• Let's simplify the integration config - no need to give user 2 options - pick the best one.
• Due to the limitations on ServiceNow side - let's ditch the trigger component and replace it with one more action component
• It can be GetIncident - but if you can think of a more creative component (maybe something unrelated to incidents) that would be cooler.

[forestileao]

@ConeDjordjic, I think @AleksandarCole mentioned to create a getIncident instead of a getIncidents (plural) component.
We may have problems to store unlimited arrays of json payloads due to their size at the moment. Until we have solution for that, can you replace this component with a getIncident? The paramenter can be the incident of Type FieldTypeIntegrationResource

[forestileao]

@ConeDjordjic I udpated the docs myself. Service now asks to add some strange permissions

[forestileao]

The PR is merged. @ConeDjordjic Thanks a lot for your contribution <3

cc: @AleksandarCole

[ConeDjordjic]

My bad, forgot to update the docs. The admin role part is a remnant from an earlier implementation that required it for automatic business rule creation for on_incident. It's not needed at the moment but the service itself is very limiting in terms of permissions. If at some point in the future we want to implement on_incident again without a bunch of manual steps, admin permissions will be required. For the current implementation only itil is required.

The glide.oauth.inbound.client.credential.grant_type.enabled property needs to be enabled because ServiceNow disables the client credentials grant type by default. Without it, the OAuth token request will fail. Sorry I forgot to cover that in the video demo.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

GetIncident sys_id path not escaped

Medium Severity

GetIncident interpolates sysID directly into the request path. If a crafted value containing reserved URL characters is ever passed (e.g. via API manipulation or corrupted config), it can alter the request path/query and fetch unintended resources or fail unexpectedly.

 

[cursor]

UI mapper assumes rootEvent always exists

Medium Severity

baseEventSections passes execution.rootEvent! into getTitleAndSubtitle. If an execution exists without a rootEvent (e.g. manual runs, migrated data, or partial API responses), this will throw during rendering and break the node UI.