Add feature flag for duo-cli binary vs npm installation
What does this MR do and why?
Introduces the duo_agent_platform_executor_binary feature flag to control how duo-cli is installed in CI workloads.
- When enabled: downloads a pre-compiled binary directly from the GitLab Package Registry using
curl, eliminating the Node.js/npm dependency and fragile PATH manipulation. - When disabled (default): falls back to the legacy
npm install -g @gitlab/duo-cliapproach.
This allows a safe, gradual rollout of the binary install approach from !238715 (merged) (which was reverted) without breaking existing environments.
Why a feature flag?
The binary install approach was merged in !238715 (merged) but reverted due to pipeline issues. Wrapping it in a feature flag lets us:
- Re-land the binary install logic safely
- Enable it incrementally per-project/group
- Roll back instantly by disabling the flag if issues arise
References
- Closes #600436 (closed)
- Original MR: !238715 (merged) (merged then reverted)
How to set up and validate locally
When skipped:
- Test that the installation process is skipped when both
duo_workflow_use_hardened_imageandduo_agent_platform_executor_binaryare on. - Test that the installation process is skipped when
duo_workflow_use_hardened_imageis on andduo_agent_platform_executor_binaryis off.
When a custom image without the sandbox:
- Test that the binary package is installed when a custom image is used and
duo_agent_platform_executor_binaryis on. - Test that the npm package is installed when a custom image is used and
duo_agent_platform_executor_binaryis off.
Keeping the old logic:
- Test that the npm package is installed when
duo_workflow_use_hardened_imageis off andduo_agent_platform_executor_binaryis off.
When failing (expected, thus we introduce the FF):
- Test that the binary package is failing when
duo_workflow_use_hardened_imageis off andduo_agent_platform_executor_binaryis on.
Edited by Alexander Chueshev