Migrate duo-cli installation in CI workloads from npm to binary

What does this MR do and why?

Migrates the duo-cli installation in CI workloads from npm install -g to a direct binary download from the GitLab Package Registry.

Before: The set_up_executor_commands method in StartWorkflowService installed @gitlab/duo-cli via npm, requiring Node.js/npm in the runner environment and fragile PATH manipulation.

After: The method now downloads the appropriate pre-compiled binary directly from the GitLab Package Registry using curl, detects the runner's OS and architecture at runtime, and installs the binary to /usr/local/bin (already in PATH).

Why binary over npm?

• Eliminates Node.js/npm version conflicts in runner environments
• Removes npm registry as a dependency for CI job success
• Removes fragile export PATH="$(npm bin -g):$PATH" shell scripting
• Unblocks the OpenTUI migration (requires Bun runtime, incompatible with npm distribution)
• Reduces release surface (no longer need to publish and validate through both npm and binary channels)

References

• Closes #600436 (closed)
• Epic: &22002
• Supersedes !237299 (closed) (closed)

Screenshots or screen recordings

N/A — backend/CI change only.

Before	After
npm install -g @gitlab/duo-cli@8.92.0	curl -fsSL https://gitlab.com/api/v4/projects/46519181/packages/generic/duo-cli/8.92.0/duo-linux-x64 -o /usr/local/bin/duo && chmod +x /usr/local/bin/duo

How to set up and validate locally

1. Run the spec: bundle exec rspec ee/spec/services/ai/duo_workflows/start_workflow_service_spec.rb
2. Confirm all examples pass, including the sandbox integration contexts.
3. Trigger a Duo Workflow in a CI environment.
4. Observe that the duo binary is downloaded via curl rather than installed via npm.
5. Confirm which duo and duo --version succeed without Node.js present.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.