Merge pull request #120 from Infisical/feature/upload-packages-to-s3

feature(distribution): upload packages to s3

Author: victorvhs017

.github/workflows/release_build_infisical_cli.yml

@@ -124,7 +124,15 @@ jobs:
           AUR_KEY: ${{ secrets.AUR_KEY }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
       - uses: actions/setup-python@v4
+        with:
+          python-version: "3.12"
       - run: pip install --upgrade cloudsmith-cli
+      - name: Install mkrepo and dependencies
+        run: pip install mkrepo univers boto3
+      - name: Install AWS CLI
+        run: pip install awscli
+      - name: Install rpm-sign
+        run: sudo apt-get install -y rpm
       - uses: ruby/setup-ruby@354a1ad156761f5ee2b7b13fa8e09943a5e8d252
         with:
           ruby-version: "3.3" # Not needed with a .ruby-version, .tool-versions or mise.toml
@@ -136,16 +144,23 @@ jobs:
         env:
           GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
           GPG_SIGNING_KEY_PASSPHRASE: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
-      - name: Publish to CloudSmith
+      - name: Configure APK Signing Key
+        run: |
+          echo -n "$APK_PRIVATE_KEY" | base64 --decode > /tmp/infisical-apk.rsa
+          chmod 600 /tmp/infisical-apk.rsa
+        env:
+          APK_PRIVATE_KEY: ${{ secrets.APK_PRIVATE_KEY }}
+      - name: Publish packages to repositories
         run: sh upload_to_cloudsmith.sh
         env:
           CLOUDSMITH_API_KEY: ${{ secrets.CLOUDSMITH_API_KEY }}
           INFISICAL_CLI_S3_BUCKET: ${{ secrets.INFISICAL_CLI_S3_BUCKET }}
           INFISICAL_CLI_REPO_SIGNING_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_SIGNING_KEY_ID }}
           AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}
+          APK_PRIVATE_KEY_PATH: /tmp/infisical-apk.rsa
       - name: Invalidate Cloudfront cache
-        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/deb/dists/stable/*'
+        run: aws cloudfront create-invalidation --distribution-id $CLOUDFRONT_DISTRIBUTION_ID --paths '/rpm/Packages/*' '/rpm/repodata/*' '/deb/dists/stable/*' '/apk/stable/main/*'
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.INFISICAL_CLI_REPO_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.INFISICAL_CLI_REPO_AWS_SECRET_ACCESS_KEY }}

scripts/setup/README.md

@@ -0,0 +1,52 @@
+# Repository Setup Scripts
+
+This folder contains setup scripts that end-users run to configure their systems to install the Infisical CLI from our package repositories.
+
+## Scripts
+
+| Script | Target System | Description |
+|--------|---------------|-------------|
+| `setup.deb.sh` | Debian/Ubuntu | Configures APT repository for `.deb` packages |
+| `setup.rpm.sh` | RHEL/Fedora/CentOS/SUSE | Configures YUM/DNF/Zypper repository for `.rpm` packages |
+| `setup.apk.sh` | Alpine Linux | Configures APK repository for `.apk` packages |
+
+## How They're Used
+
+These scripts are hosted on our S3 artifacts bucket and users download and run them to set up the repository:
+
+```bash
+# Debian/Ubuntu
+curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | sudo bash
+
+# RHEL/Fedora/CentOS
+curl -1sLf 'https://artifacts-cli.infisical.com/setup.rpm.sh' | sudo bash
+
+# Alpine Linux
+wget -qO- 'https://artifacts-cli.infisical.com/setup.apk.sh' | sudo sh
+```
+
+After running the setup script, users can install the CLI using their native package manager:
+
+```bash
+# Debian/Ubuntu
+sudo apt-get update && sudo apt-get install infisical
+
+# RHEL/Fedora
+sudo yum install infisical  # or dnf/zypper
+
+# Alpine
+sudo apk add infisical
+```
+
+## What Each Script Does
+
+1. **Imports GPG/RSA signing keys** - Downloads and installs the public key used to verify package signatures
+2. **Configures the repository** - Adds the Infisical repository to the system's package manager
+3. **Updates package cache** - Refreshes the package list so the CLI can be installed
+
+## Deployment
+
+These scripts are uploaded to S3 during the release process. They are served from:
+- `https://artifacts-cli.infisical.com/setup.deb.sh`
+- `https://artifacts-cli.infisical.com/setup.rpm.sh`
+- `https://artifacts-cli.infisical.com/setup.apk.sh`

scripts/setup/setup.apk.sh

@@ -0,0 +1,199 @@
+#!/bin/sh
+#
+# Infisical CLI Alpine Repository Setup Script
+# The core commands execute start from the "MAIN" section below.
+#
+
+set -e
+
+# Environment variables that can be set
+PKG_URL="${PKG_URL:-https://artifacts-cli.infisical.com}"
+PACKAGE_NAME="${PACKAGE_NAME:-infisical}"
+RSA_KEY_URL="${RSA_KEY_URL:-${PKG_URL}/apk/infisical.rsa.pub}"
+
+# Colors (basic POSIX-compatible)
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+BOLD='\033[1m'
+NC='\033[0m' # No Color
+
+echo_status() {
+    local status=$1
+    local message=$2
+    if [ "$status" = "OK" ]; then
+        printf "${GREEN}[  OK  ]${NC} %s\n" "$message"
+    elif [ "$status" = "FAIL" ]; then
+        printf "${RED}[ FAIL ]${NC} %s\n" "$message"
+    elif [ "$status" = "RUN" ]; then
+        printf "[  ..  ] %s\r" "$message"
+    fi
+}
+
+die() {
+    echo
+    printf "${RED}${BOLD}Error:${NC} %s\n" "$1"
+    echo
+    printf "${BOLD}For assistance, please visit:${NC}\n"
+    echo "  https://github.com/Infisical/infisical"
+    echo
+    exit 1
+}
+
+check_tool() {
+    local tool=$1
+    echo_status "RUN" "Checking for required tool '$tool'..."
+    if command -v "$tool" > /dev/null 2>&1; then
+        echo_status "OK" "Checking for required tool '$tool'"
+        return 0
+    else
+        echo_status "FAIL" "Checking for required tool '$tool'"
+        die "$tool is not installed, but is required by this script."
+    fi
+}
+
+detect_arch() {
+    echo_status "RUN" "Detecting system architecture..."
+    local raw_arch=$(uname -m)
+    case "$raw_arch" in
+        x86_64|amd64)
+            arch="x86_64"
+            ;;
+        aarch64|arm64)
+            arch="aarch64"
+            ;;
+        *)
+            echo_status "FAIL" "Detecting system architecture"
+            die "Unsupported architecture: $raw_arch. Supported: x86_64, aarch64"
+            ;;
+    esac
+    echo_status "OK" "Architecture detected: $arch"
+}
+
+import_rsa_key() {
+    echo_status "RUN" "Importing '${PACKAGE_NAME}' repository RSA key..."
+    
+    # Create keys directory if it doesn't exist
+    mkdir -p /etc/apk/keys
+    
+    # Download and install RSA public key
+    if wget -q -O "/etc/apk/keys/${PACKAGE_NAME}.rsa.pub" "${RSA_KEY_URL}"; then
+        chmod 644 "/etc/apk/keys/${PACKAGE_NAME}.rsa.pub"
+        echo_status "OK" "Importing '${PACKAGE_NAME}' repository RSA key"
+    else
+        echo_status "FAIL" "Importing '${PACKAGE_NAME}' repository RSA key"
+        die "Could not download RSA key from ${RSA_KEY_URL}"
+    fi
+}
+
+setup_repository() {
+    local repo_file="/etc/apk/repositories"
+    local repo_url="${PKG_URL}/apk/stable/main/${arch}"
+    
+    echo_status "RUN" "Adding '${PACKAGE_NAME}' repository..."
+    
+    # Check if repository already exists
+    if grep -q "${repo_url}" "${repo_file}" 2>/dev/null; then
+        echo_status "OK" "Repository already configured"
+        return 0
+    fi
+    
+    # Add repository
+    echo "${repo_url}" >> "${repo_file}"
+    echo_status "OK" "Adding '${PACKAGE_NAME}' repository"
+}
+
+update_apk() {
+    echo_status "RUN" "Updating Alpine repository cache..."
+    if apk update > /dev/null 2>&1; then
+        echo_status "OK" "Updating Alpine repository cache"
+    else
+        echo_status "FAIL" "Updating Alpine repository cache"
+        die "Failed to update APK cache. Please check your network connection."
+    fi
+}
+
+usage() {
+    cat << EOF
+Usage: $0 [options]
+
+Options:
+  -h, --help     Display this help message
+  -r, --remove   Remove the repository configuration
+
+Environment variables:
+  PKG_URL        Base URL for packages (default: https://artifacts-cli.infisical.com)
+  PACKAGE_NAME   Package name (default: infisical)
+
+EOF
+    exit 0
+}
+
+remove_repository() {
+    echo "Removing ${PACKAGE_NAME} repository configuration..."
+    
+    # Remove from repositories file
+    if [ -f /etc/apk/repositories ]; then
+        sed -i "\|${PKG_URL}/apk|d" /etc/apk/repositories
+        echo_status "OK" "Removed repository from /etc/apk/repositories"
+    fi
+    
+    # Remove RSA key
+    if [ -f "/etc/apk/keys/${PACKAGE_NAME}.rsa.pub" ]; then
+        rm -f "/etc/apk/keys/${PACKAGE_NAME}.rsa.pub"
+        echo_status "OK" "Removed RSA key"
+    fi
+    
+    # Update cache
+    apk update > /dev/null 2>&1
+    
+    echo
+    echo "Repository removed successfully."
+    exit 0
+}
+
+#
+# MAIN
+#
+
+# Parse arguments
+while [ $# -gt 0 ]; do
+    case "$1" in
+        -h|--help)
+            usage
+            ;;
+        -r|--remove)
+            remove_repository
+            ;;
+        *)
+            echo "Unknown option: $1"
+            usage
+            ;;
+    esac
+    shift
+done
+
+echo
+echo "Executing the setup script for the '${PACKAGE_NAME}' repository..."
+echo
+
+# Check for root privileges
+if [ "$(id -u)" -ne 0 ]; then
+    die "This script must be run as root (e.g., using sudo)"
+fi
+
+# Check requirements
+check_tool "wget"
+
+# Setup
+detect_arch
+import_rsa_key
+setup_repository
+update_apk
+
+echo
+printf "${GREEN}${BOLD}Success!${NC} The repository has been installed successfully.\n"
+echo
+echo "You can now install ${PACKAGE_NAME} with:"
+echo
+printf "  ${BOLD}apk add ${PACKAGE_NAME}${NC}\n"
+echo