feat: Add duo_workflow_use_hardened_image feature flag for DAP executor image

Andras Herczegrequested to merge
aherczeg/dap-hardened-image-feature-flag into master

What does this MR do and why?

Adds a project-scoped feature flag duo_workflow_use_hardened_image that toggles the DAP (Duo Agent Platform) executor image between the default multi-runtime image and the new hardened UBI 9 minimal variant.

When the flag is disabled (default), behavior is unchanged: StartWorkflowService falls back to IMAGE_PATH = "gitlab-org/duo-workflow/default-docker-image/workflow-generic-image:v0.0.6".

When the flag is enabled for a project, StartWorkflowService falls back to HARDENED_IMAGE_PATH = "gitlab-org/duo-workflow/default-docker-image/workflow-generic-image-hardened:v0.0.7" instead.

Refs #598547.

Changes

  1. config/feature_flags/wip/duo_workflow_use_hardened_image.yml (new) — wip type, default_enabled: false, project-scoped, owned by group::agent foundations. Milestone 19.0.
  2. ee/app/services/ai/duo_workflows/start_workflow_service.rb — adds HARDENED_IMAGE_PATH constant and a new instance_image_path private method that returns HARDENED_IMAGE_PATH when the flag is enabled for the project, otherwise IMAGE_PATH. instance_image now delegates to it. The image-resolution priority order is unchanged: workflow image → agent-config.yml default_image → instance image.

How to verify

  1. With flag disabled (default), workflows with no custom image continue to use workflow-generic-image:v0.0.6

    Screenshot 2026-05-20 at 16.54.58.png

  2. Enable the flag for a project: Feature.enable(:duo_workflow_use_hardened_image, project). Trigger a flow with no image override. Confirm the resulting workload uses workflow-generic-image-hardened:v0.0.7.

    (the job failing is a known issue currently being fixed)

    Screenshot 2026-05-20 at 16.54.34.png

  3. Set default_image in .gitlab/duo/agent-config.yml. Confirm that overrides both branches of the flag (project config wins).

# .gitlab/duo/agent-config.yml

image: registry.gitlab.com/gitlab-org/duo-workflow/default-docker-image/workflow-generic-image:v0.0.5

Screenshot_2026-05-20_at_16.59.08

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andras Herczeg

Merge request reports