feature(distribution): upload packages to s3

[victorvhs017]

Description 📣

Adds S3-based package repository support for APK (Alpine) and RPM packages, alongside existing Cloudsmith uploads. Includes setup scripts for end users and updates the CI/CD workflow to upload and sign packages.

Changes Made

1. Enhanced Package Upload Script (upload_to_cloudsmith.sh)

• APK packages: Uploads to S3, generates and signs APKINDEX.tar.gz for x86_64 and aarch64
• RPM packages: Signs RPMs with GPG and uploads to S3, regenerates repository metadata using mkrepo
• DEB packages: Already supported via deb-s3 (no changes)
• Maintains backward compatibility: continues uploading to Cloudsmith during transition

2. New Setup Scripts

• scripts/setup.apk.sh: Alpine repository setup script
  • Imports RSA public key
  • Configures APK repository
  • Supports x86_64 and aarch64 architectures
• scripts/setup.rpm.sh: RPM repository setup script
  • Detects OS distribution (RHEL, CentOS, Fedora, SUSE, etc.)
  • Imports GPG keys
  • Configures YUM/DNF/Zypper repositories

3. GitHub Workflow Updates (.github/workflows/release_build_infisical_cli.yml)

• Installs required tools: mkrepo, boto3, awscli, rpm (for RPM signing)
• Configures APK signing key from base64-encoded secret
• Adds environment variables for S3 access and signing
• Expands CloudFront cache invalidation to include RPM and APK paths

Pre-Merge Checklist

GitHub Secrets Required

1. APK_PRIVATE_KEY (NEW)
   • Base64-encoded RSA private key for APK package signing
   • Generate with: openssl genrsa -out infisical.rsa 4096
   • Encode with: base64 -w 0 infisical.rsa
   • Store the base64 string as the secret

S3 Bucket Setup Required

Configure the S3 bucket with the following structure and assets:

1. Directory Structure - DONE

   s3://infisical-cli-artifacts-repo/
   ├── apk/
   │   └── stable/
   │       └── main/
   │           ├── x86_64/
   │           └── aarch64/
   ├── rpm/
   │   ├── Packages/
   │   └── repodata/
   └── deb/
       └── (existing structure)
   

2. Public Keys to Upload

   • APK Public Key: Upload the RSA public key to s3://infisical-cli-artifacts-repo/apk/infisical.rsa.pub
     • Extract from private key (the APK_PRIVATE_KEY added as secret in GitHub): openssl rsa -in infisical.rsa -pubout -out infisical.rsa.pub

---

Note: This PR maintains dual upload (Cloudsmith + S3) during the transition period. Once S3 repositories are validated, Cloudsmith uploads can be removed in a future PR.

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

---

Tests

I tested the scripts locally with dummy data.
I also tested in the AWS dev environment, and the workflow for the APK worked

I couldn't test the RPM upload locally because the rpm-sign command is linux only

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Overview

Greptile Summary

Adds S3-based package repository infrastructure for APK and RPM packages alongside existing Cloudsmith uploads. This PR implements a dual-upload strategy during the transition period.

Major Changes:

• Enhanced upload_to_cloudsmith.sh with S3 upload logic for APK and RPM packages, including Docker-based APKINDEX generation and mkrepo for RPM metadata
• Added new user-facing setup scripts (setup.apk.sh and setup.rpm.sh) for repository configuration
• Updated GitHub workflow to install dependencies (mkrepo, boto3, awscli, rpm) and configure APK signing keys
• Expanded CloudFront cache invalidation to include new package paths

Key Observations:

• The implementation follows secure practices with proper validation of environment variables and signing key paths
• Docker container for APK signing uses read-only volume mounts for private keys
• Scripts handle architecture detection and multiple package managers appropriately
• S3 syncs preserve old package versions (intentional per previous thread discussion)

Issues Found:

• The setup.rpm.sh script pipes curl output directly to Python for pip installation without checksum verification, creating a remote code execution vector if bootstrap.pypa.io is compromised
• AWS CLI commands could expose internal bucket structure in CI logs (minor information disclosure)
• README.md still references old Cloudsmith URLs for Alpine/RPM setup scripts and may need updating

Confidence Score: 4/5

• This PR is safe to merge with minimal security risk given the dual-upload approach and tested validation logic
• Score reflects well-structured implementation with proper validation and security controls, offset by one critical RCE vulnerability in setup.rpm.sh that affects end users (not CI) and minor information disclosure issues in logging
• scripts/setup.rpm.sh requires attention for the curl-to-python piping vulnerability. Other files are well-implemented

Important Files Changed

Filename	Overview
upload_to_cloudsmith.sh	Added S3 upload support for APK and RPM packages with signing, includes Docker-based APKINDEX generation and mkrepo for RPM metadata
.github/workflows/release_build_infisical_cli.yml	Added dependencies (mkrepo, boto3, awscli, rpm), APK signing key setup, and expanded CloudFront cache invalidation
scripts/setup.apk.sh	New Alpine repository setup script with architecture detection, RSA key import, and repository configuration
scripts/setup.rpm.sh	New RPM repository setup script with OS detection, GPG key import, and multi-package-manager support (DNF/YUM/Zypper)

[greptile-apps]

_{4 files reviewed, 8 comments}

_{Edit Code Review Agent Settings | Greptile}

[victorvhs017]

@greptileai re-review and update the summary

[greptile-apps]

_{2 files reviewed, 7 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (1)

upload_to_cloudsmith.sh
Missing CloudFront cache invalidation for /apk/stable/main/* in this workflow step. The workflow file (.github/workflows/release_build_infisical_cli.yml:163) includes it, but verify $CLOUDFRONT_DISTRIBUTION_ID is properly configured.

[victorvhs017]

@greptileai re-review and update the summary

[greptile-apps]

_{4 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Additional Comments (2)

README.md
Alpine installation instructions still reference the old Cloudsmith URL instead of the new S3-based repository. Update to match the new infrastructure:

_Alpine:_

```bash
curl -1sLf 'https://artifacts-cli.infisical.com/scripts/setup.apk.sh' | sudo sh
sudo apk add infisical

---

README.md
RPM installation instructions still reference the old Cloudsmith URL instead of the new S3-based repository. Update to use the new setup script:

_RHEL/CentOS:_

```bash
curl -1sLf 'https://artifacts-cli.infisical.com/scripts/setup.rpm.sh' | sudo -E bash
sudo yum install infisical

[victorvhs017]

Additional Comments (2)
README.md Alpine installation instructions still reference the old Cloudsmith URL instead of the new S3-based repository. Update to match the new infrastructure:

_Alpine:_

```bash
curl -1sLf 'https://artifacts-cli.infisical.com/scripts/setup.apk.sh' | sudo sh
sudo apk add infisical

README.md RPM installation instructions still reference the old Cloudsmith URL instead of the new S3-based repository. Update to use the new setup script:

_RHEL/CentOS:_

```bash
curl -1sLf 'https://artifacts-cli.infisical.com/scripts/setup.rpm.sh' | sudo -E bash
sudo yum install infisical

These are fine, we're testing the S3 flow first, and we'll upload to both places.

[victorvhs017]

@greptileai re-review and update the summary

[greptile-apps]

_{4 files reviewed, 5 comments}

_{Edit Code Review Agent Settings | Greptile}