Duo Agent Platform only use instance or top level group runners

Dylan Griffithrequested to merge
578791-only-instance-and-top-level-group-runners-for-dap into master

What does this MR do and why?

Duo Agent Platform only use instance or top level group runners

More motivation can be found in https://gitlab.com/gitlab-org/gitlab/-/issues/578791 .

This MR changes things so that Duo jobs are only able to run on instance wide or top level group runners.

It does this in 2 parts:

  1. It adds the gitlab--duo tag to all Duo jobs. This means that only runners tagged with gitlab--duo will run these jobs. We will update our instance wide runners to have these tags. And customers can add this tag to their top-level group runners. This is behind a feature flag duo_agent_platform_ci_job_tags.
  2. It actively fails any job that is assigned to a runner that isn't an instance or top level group runner. This means that if someone adds a gitlab--duo tag to a project runner (for example) we will still not run the job on that runer. An error will be displayed telling them to remove the tag. This is behind another feature flag duo_runner_restrictions.

The runner blocking logic behind a feature flag and the intention is to only enable this on GitLab.com as it isn't that useful for Self-Managed.

On GitLab.com we already have the gitlab--duo tag applied to our small amd64 runners.

References

Screenshots or screen recordings

Screenshot_2025-11-14_at_11.55.22_am

trusted-runners-no-audio

How to set up and validate locally

  1. Enable the feature flag duo_runner_restrictions
  2. Enable the feature flag duo_agent_platform_ci_job_tags
  3. Follow setup instructions for Duo Agent Platform https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/duo_agent_platform.md
  4. Ensure you have a runner configured https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/runner.md
  5. Setup a runners that you want to test with. Any runner with gitlab--duo tag configured will pick up jobs
  6. Trigger a flow from an issue with the "Generate MR with Duo" button
  7. If the job is picked up by anything other than an instance runner or top level group runner the job will immediately be failed before it starts

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #578791

Edited by Dylan Griffith

Merge request reports