Draft: Migrate duo-cli installation in CI workloads from npm to binary

Sebastian Rehmrequested to merge
duo/feature/600436-migrate-duo-cli-npm-to-binary into master

What does this MR do and why?

Migrates the duo-cli installation in CI workloads from npm install -g to a direct binary download from the GitLab Package Registry.

Before: The set_up_executor_commands method in StartWorkflowService installed @gitlab/duo-cli via npm, requiring Node.js/npm in the runner environment and fragile PATH manipulation.

After: The method now downloads the appropriate pre-compiled binary directly from the GitLab Package Registry using curl, detects the runner's OS and architecture at runtime, and installs the binary to /usr/local/bin (already in PATH).

Changes

  • ee/app/services/ai/duo_workflows/start_workflow_service.rb: Replaces npm-based CLI install with a curl binary download. Adds DUO_CLI_PROJECT_ID, DUO_CLI_INSTALL_DIR, and DUO_CLI_REGISTRY_BASE_URL constants. Extracts cli_install_command into a private method.
  • .gitlab/ci/setup.gitlab-ci.yml: Updates the verify-start-workflow-service-assets preflight job to check binary artifact availability via curl --head instead of npm view.
  • ee/spec/services/ai/duo_workflows/start_workflow_service_spec.rb: Updates cli_install_command and cli_install_commands let blocks to reflect the new binary download command.

Why binary over npm?

  • Eliminates Node.js/npm version conflicts in runner environments
  • Removes npm registry as a dependency for CI job success
  • Removes fragile export PATH="$(npm bin -g):$PATH" shell scripting
  • Unblocks the OpenTUI migration (requires Bun runtime, incompatible with npm distribution)
  • Reduces release surface (no longer need to publish and validate through both npm and binary channels)

References

Screenshots or screen recordings

N/A — backend/CI change only.

Before After
npm install -g @gitlab/duo-cli@8.92.0 curl -fsSL https://gitlab.com/api/v4/projects/46519181/packages/generic/duo-cli/8.92.0/duo-linux-x64 -o /usr/local/bin/duo && chmod +x /usr/local/bin/duo

How to set up and validate locally

  1. Trigger a Duo Workflow in a CI environment
  2. Observe that the duo binary is downloaded via curl rather than installed via npm
  3. Confirm which duo and duo --version succeed without Node.js present

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Merge request reports