chore(install-dynamic-plugins): consume installer from npm

[gustavolira]

Summary

Swaps the COPY of scripts/install-dynamic-plugins/{install-dynamic-plugins.cjs,install-dynamic-plugins.sh} for an npm install of @red-hat-developer-hub/cli-module-install-dynamic-plugins@0.1.0 (built and published out of redhat-developer/rhdh-plugins#3254 / the unbundled successor feat/install-dynamic-plugins-cli-module-unbundled).

Lets the rhdh-plugins side use the standard backstage-cli package build (the cli-module convention) and drops a couple of workarounds on its side: no custom esbuild bundling step, no keytar native-binary stub.

Containerfile change

• Install into /opt/dynamic-plugins-installer/ (its own dir, no package.json) so npm cannot reach into /opt/app-root/src — that path is the yarn workspace root and npm install there would honor workspaces and reshuffle the production tree built by yarn workspaces focus.
• --no-save --omit=dev so npm doesn't write package-lock.json into the installer dir.
• Exact version pin 0.1.0 so image builds stay reproducible.
• Build-time install-dynamic-plugins --help smoke check so a missing or renamed CLI entrypoint fails the image build instead of the pod.
• install-dynamic-plugins.sh shim at the original /opt/app-root/src/ path delegates to node_modules/.bin/install-dynamic-plugins (npm-managed symlink) so the Helm chart and Operator init-container spec keep working unchanged.

Cold-start benchmark (final)

On an empty dynamic-plugins.yaml, macOS, hyperfine, 50 runs each, warm cache:

Variant	Bundle / install size	Median	σ
Bundled .cjs (current main)	231 KB single file	59 ms	±3 ms
npm install cli-module + dispatch	25 MB node_modules	176 ms	±21 ms
npm install cli-module + fast-path bin (this PR's target)	25 MB node_modules	101 ms	±15 ms

The fast-path bin (in the rhdh-plugins unbundled branch) bypasses @backstage/cli-node's runCliModule dispatch for direct invocation — saves ~75 ms of cold start. Net cost vs the current bundled approach is ~42 ms per pod start, dwarfed by the actual skopeo / npm pack work that follows.

Hermetic build (Konflux / hermeto)

scripts/local-hermeto-build.sh:213 calls hermeto fetch-deps with rpm, yarn, yarn ./dynamic-plugins, and pip — no npm. Downstream Konflux runs with enableNetwork: false, so as-is this PR's RUN npm install ... will fail in the hermetic build.

hermeto does support npm prefetch (needs package-lock.json v2+). To land this PR end-to-end, the gating work is:

1. A package-lock.json somewhere in this repo describing the installer + transitive deps
2. Adding {"type": "npm", "path": "<lockfile-dir>"} to the hermeto fetch-deps invocation in scripts/local-hermeto-build.sh and the equivalent midstream config (see sync-midstream.sh)
3. The RUN npm install in this Containerfile needs to read from /cachi2/output/deps/npm/ (likely via injected env vars from generate-env)

Happy to do that work in a follow-up commit on this PR (or split into a separate prep PR) — flagging now so reviewers can weigh the cost. If the hermeto-npm wiring is too costly, the alternative is to keep the COPY pattern but pull the bundled .cjs from the published npm tarball during sync-midstream.sh — that keeps the hermetic build trivial and gives us the upstream-published source of truth.

Follow-ups

• Delete scripts/install-dynamic-plugins/ from this repo once @red-hat-developer-hub/cli-module-install-dynamic-plugins is published and consumed.
• Wire npm into hermeto fetch-deps (per "Hermetic build" above).

🤖 Generated with Claude Code

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.25%. Comparing base (c1acb63) to head (6276d9c).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4908      +/-   ##
==========================================
- Coverage   55.82%   55.25%   -0.58%     
==========================================
  Files         121      109      -12     
  Lines        2350     2132     -218     
  Branches      562      537      -25     
==========================================
- Hits         1312     1178     -134     
+ Misses       1032      953      -79     
+ Partials        6        1       -5     

Flag	Coverage Δ
rhdh	55.25% <ø> (-0.58%)	⬇️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c1acb63...6276d9c. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

The container image build workflow finished with status: cancelled.

[github-actions]

The container image build workflow finished with status: cancelled.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

The container image build workflow finished with status: failure.

[openshift-ci]

@gustavolira: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-ocp-helm	6276d9c	link	true	/test e2e-ocp-helm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.