Disabling command-eval also disables plugins

[tigris]

When running agents on v3.8.4, we were using these settings

BUILDKITE_NO_PLUGINS: 'false'
BUILDKITE_NO_COMMAND_EVAL: 'true'

This allowed us to run plugins (we have our own security check in place for plugins), whilst also disabling command eval.

According to the documentation for command eval https://buildkite.com/docs/agent/v3/securing#disabling-command-eval this shouldn't have been possible. This is backed up by https://github.com/buildkite/agent/issues/674

In any case, we were indeed able to run plugins with command eval disabled just fine. However upgrading to 3.9.1 has broken that functionality.

Can we get some clarity if it was working incorrectly before and that "bug" has now been fixed (so we need to find a new way to disable command eval), or should it be that way and the documentation is misleading?

[lox]

Apologies, I believe this is a regression caused by https://github.com/buildkite/agent/pull/908. It should work as you described, although I deeply regret making it work like that in the first place!

[tigris]

The way we're using it seems undocumented. If you do choose to fix it, can we document it?

If I'm the only weird person using that functionality, I'm sure I can find a different way. I'd feel safer doing that than relying on an undocumented feature.

[lox]

The way we're using it seems undocumented. If you do choose to fix it, can we document it?

Yup, absolutely will do, as well as add a test to prevent a regression. My apologies!

If I'm the only weird person using that functionality, I'm sure I can find a different way. I'd feel safer doing that that relying on an undocumented feature.

Agreed, we'll figure out a good path forward that achieves what y'all are trying to do!