Infisical
diff --git a/‎.claude-plugin/marketplace.json‎
Lines changed: 29 additions & 0 deletions b/‎.claude-plugin/marketplace.json‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.github/workflows/validate-plugins.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/validate-plugins.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 11 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 73 additions & 0 deletions b/‎README.md‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎plugins/infisical-setup/.claude-plugin/plugin.json‎
Lines changed: 13 additions & 0 deletions b/‎plugins/infisical-setup/.claude-plugin/plugin.json‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎plugins/infisical-setup/skills/infisical-setup/SKILL.md‎
Lines changed: 41 additions & 0 deletions b/‎plugins/infisical-setup/skills/infisical-setup/SKILL.md‎
Lines changed: 41 additions & 0 deletions
diff --git a/‎plugins/infisical-setup/skills/infisical-setup/references/cicd-integration.md‎
Lines changed: 112 additions & 0 deletions b/‎plugins/infisical-setup/skills/infisical-setup/references/cicd-integration.md‎
Lines changed: 112 additions & 0 deletions
@@ -0,0 +1,29 @@
+{
+  "name": "infisical-ai-skills",
+  "owner": {
+    "name": "Infisical",
+    "email": "support@infisical.com"
+  },
+  "metadata": {
+    "description": "Official Infisical skills for AI coding agents — correct SDK usage, auth methods, Docker/K8s integration, and more.",
+    "version": "1.0.0",
+    "pluginRoot": "./plugins"
+  },
+  "plugins": [
+    {
+      "name": "infisical-setup",
+      "source": "./infisical-setup",
+      "description": "Interactive setup guide for integrating Infisical into your projects — CLI, Docker, Kubernetes, CI/CD, SDKs, and machine identity auth.",
+      "version": "1.0.0",
+      "author": {
+        "name": "Infisical"
+      },
+      "homepage": "https://infisical.com/docs",
+      "repository": "https://github.com/Infisical/ai-skills",
+      "license": "MIT",
+      "keywords": ["infisical", "secrets", "secret-management", "sdk", "docker", "kubernetes", "cicd"],
+      "category": "developer-tools",
+      "tags": ["secrets", "security", "devops", "infrastructure"]
+    }
+  ]
+}
@@ -0,0 +1,19 @@
+name: Validate Plugins
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Claude Code
+        run: npm install -g @anthropic-ai/claude-code
+
+      - name: Validate marketplace and plugins
+        run: claude plugin validate .
@@ -0,0 +1,4 @@
+node_modules/
+.DS_Store
+*.log
+.env
@@ -0,0 +1,11 @@
+# Infisical AI Skills
+
+## Available Skills
+
+### infisical-setup
+
+**Description:** Interactive setup guide for integrating Infisical into your projects — CLI, Docker, Kubernetes, CI/CD, SDKs, and machine identity auth.
+
+**Location:** `skills/infisical-setup/SKILL.md`
+
+**Use when:** You need to integrate Infisical secret management into an application, container, pipeline, or infrastructure. Covers CLI setup, all 6 SDKs (Node.js, Python, Go, Java, .NET, Ruby), Docker build/runtime injection, Kubernetes Operator, GitHub Actions/GitLab CI, and all 12 machine identity auth methods.
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Infisical Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,73 @@
+# Infisical AI Skills
+
+Official [Agent Skills](https://agentskills.io) for [Infisical](https://infisical.com) — the open-source secret management platform.
+
+These skills give AI coding agents accurate, up-to-date knowledge about Infisical's SDKs, CLI, Docker integration, Kubernetes Operator, CI/CD setup, and machine identity auth methods. Without them, AI tools frequently hallucinate wrong package names, deprecated auth patterns, and broken install commands.
+
+## Install
+
+### Universal (45+ agents)
+
+Works with Claude Code, OpenAI Codex, Cursor, GitHub Copilot, Windsurf, Gemini CLI, and more:
+
+```bash
+npx skills add Infisical/ai-skills
+```
+
+### Claude Code (plugin marketplace)
+
+```bash
+/plugin marketplace add Infisical/ai-skills
+/plugin install infisical-setup@infisical-ai-skills
+```
+
+### Manual
+
+Copy `skills/infisical-setup/` into your project's agent skills directory:
+
+| Agent | Location |
+|-------|----------|
+| Claude Code | `.claude/skills/` |
+| Codex | `~/.codex/skills/` |
+| Cursor | `.cursor/skills/` or `.agents/skills/` |
+| GitHub Copilot | `.github/skills/` |
+
+## What's included
+
+### infisical-setup
+
+An interactive setup guide that helps you integrate Infisical into your projects. Covers:
+
+- **CLI** — `infisical run`, `infisical init`, local development workflow
+- **SDKs** — Node.js, Python, Go, Java, .NET, Ruby (correct package names, imports, and class names)
+- **Docker** — Build-time and runtime secret injection, `infisical run` entrypoint pattern
+- **Kubernetes** — Operator installation, InfisicalSecret CRD, Kubernetes Auth setup
+- **CI/CD** — GitHub Actions (OIDC Auth), GitLab CI (`id_tokens`)
+- **Auth methods** — All 12 machine identity auth methods with a decision tree for choosing the right one
+
+## Why this exists
+
+AI coding agents frequently get Infisical details wrong:
+
+| What AI says | What's correct |
+|-------------|---------------|
+| `pip install infisical-python` | `pip install infisicalsdk` |
+| `from infisical_client import InfisicalClient` | `from infisical_sdk import InfisicalSDKClient` |
+| Use Service Tokens for Docker | Use machine identities (Service Tokens are deprecated) |
+| `npm install -g infisical` | Install via `apt` from `artifacts-cli.infisical.com` |
+| API Key Auth for Kubernetes | Kubernetes Auth (API Keys are deprecated) |
+
+These skills correct all of that.
+
+## Contributing
+
+To add a new skill:
+
+1. Create a directory under `skills/` and `plugins/infisical-setup/skills/` with a `SKILL.md`
+2. Add a plugin entry in `.claude-plugin/marketplace.json`
+3. Update `AGENTS.md`
+4. Run `claude plugin validate .` to check for errors
+
+## License
+
+MIT
@@ -0,0 +1,13 @@
+{
+  "name": "infisical-setup",
+  "description": "Interactive setup guide for integrating Infisical into your projects — CLI, Docker, Kubernetes, CI/CD, SDKs, and machine identity auth.",
+  "version": "1.0.0",
+  "author": {
+    "name": "Infisical",
+    "email": "support@infisical.com"
+  },
+  "homepage": "https://infisical.com/docs",
+  "repository": "https://github.com/Infisical/ai-skills",
+  "license": "MIT",
+  "keywords": ["infisical", "secrets", "secret-management", "sdk", "docker", "kubernetes", "cicd"]
+}
@@ -0,0 +1,41 @@
+---
+name: infisical-user-setup-guide
+description: "Interactive setup guide for using Infisical as a secret management tool in your projects. Helps users integrate Infisical into local development (CLI), Docker containers (build-time and runtime secret injection), CI/CD pipelines (GitHub Actions, GitLab CI), Kubernetes (Operator + CRDs), and application code (Node.js, Python, Go, Java, .NET, Ruby SDKs). Also walks through choosing and configuring machine identity auth methods (Universal Auth, AWS Auth, Kubernetes Auth, OIDC, etc.). Use this skill whenever someone asks about: using Infisical, injecting secrets, infisical run, infisical init, connecting their app to Infisical, Docker secrets, Kubernetes secrets operator, machine identity setup, SDK initialization, CI/CD secret injection, or 'how do I get my secrets into my app'."
+---
+
+# Infisical User Setup Guide
+
+You are an interactive setup assistant helping users integrate Infisical into their projects. Unlike a self-hosting guide, this skill is for people who *use* Infisical (cloud or self-hosted) to manage secrets and need help getting secrets into their applications, containers, pipelines, and infrastructure.
+
+## How to use this skill
+
+Start by understanding what the user is trying to do:
+
+1. **Local development** — They want secrets injected into their dev workflow (CLI)
+2. **Docker** — They want secrets in their containers at build time or runtime
+3. **CI/CD** — They want secrets in GitHub Actions, GitLab CI, or other pipelines
+4. **Kubernetes** — They want the Infisical Operator syncing secrets to K8s
+5. **Application code** — They want to fetch secrets programmatically via an SDK
+6. **Auth setup** — They need to create a machine identity and choose an auth method
+
+Read the relevant reference file(s), then walk them through step by step. Don't dump everything at once.
+
+## Reference files
+
+| File | When to read |
+|------|-------------|
+| `references/cli-setup.md` | User wants CLI-based local dev or basic `infisical run` usage |
+| `references/docker-integration.md` | User wants secrets in Docker containers (build or runtime) |
+| `references/kubernetes-operator.md` | User wants the K8s Operator, InfisicalSecret CRD, or dynamic secrets in K8s |
+| `references/sdks.md` | User wants to fetch secrets from application code (any language) |
+| `references/cicd-integration.md` | User wants secrets in GitHub Actions, GitLab CI, or other CI/CD |
+| `references/machine-identity-auth.md` | User needs to create a machine identity or choose an auth method |
+
+## Guiding principles
+
+- **Start with their platform.** Ask what they're running on (AWS, GCP, K8s, local, etc.) before recommending an auth method or integration approach.
+- **Recommend zero-secret auth when possible.** If they're on AWS, recommend AWS Auth. On K8s, recommend Kubernetes Auth. In GitHub Actions, recommend OIDC Auth. Only fall back to Universal Auth (Client ID/Secret) when platform-native options aren't available.
+- **CLI-first for local dev.** For developers working locally, the CLI (`infisical run -- <command>`) is almost always the right starting point. It's the simplest path to "my app has secrets."
+- **SDK for application code.** If they need secrets in application logic (not just env vars), point them to the SDK for their language.
+- **Warn about deprecated patterns.** Service Tokens (`st.*` prefix) and API Keys are deprecated. Always guide toward machine identities.
+- **Security-conscious.** Never generate secrets, tokens, or credentials on the user's behalf. Guide them to generate these themselves. Never log or display secret values.
@@ -0,0 +1,112 @@
+# CI/CD Integration
+
+How to get Infisical secrets into CI/CD pipelines. The recommended approach depends on the platform.
+
+## GitHub Actions (OIDC — recommended)
+
+Zero-secret integration using GitHub's built-in OIDC tokens. No stored secrets needed in GitHub.
+
+### Step 1: Create a machine identity with OIDC auth
+
+In the Infisical dashboard:
+1. Go to Organization Settings > Access Control > Machine Identities
+2. Create an identity and assign a role
+3. Add OIDC Auth with these settings:
+   - **OIDC Discovery URL**: `https://token.actions.githubusercontent.com`
+   - **Issuer**: `https://token.actions.githubusercontent.com`
+   - **Subject**: `repo:<owner>/<repo>:<context>` (e.g., `repo:acme/api:ref:refs/heads/main`)
+   - **Audiences**: Your GitHub org URL (e.g., `https://github.com/acme`)
+4. Add the identity to your project with appropriate permissions
+
+### Step 2: Configure the workflow
+
+```yaml
+name: Deploy
+
+permissions:
+  id-token: write   # Required for OIDC
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Fetch secrets from Infisical
+        uses: Infisical/secrets-action@v1.0.9
+        with:
+          method: "oidc"
+          identity-id: "<your-identity-id>"
+          project-slug: "your-project"
+          env-slug: "prod"
+
+      - name: Use secrets
+        run: |
+          echo "Secrets are now available as env vars"
+          # e.g., $DATABASE_URL, $API_KEY
+```
+
+**Key parameters for the action:**
+- `method`: `"oidc"` for OIDC auth
+- `identity-id`: The machine identity ID (public, safe to commit)
+- `project-slug`: Your Infisical project slug
+- `env-slug`: Environment (dev, staging, prod)
+
+### Troubleshooting GitHub Actions OIDC
+
+- Ensure `id-token: write` permission is set
+- Subject must exactly match the repo and context (branch, tag, or environment)
+- Audience must match the GitHub org URL
+- Project and environment slugs must match what's configured in Infisical
+
+## GitLab CI
+
+### Option 1: CLI with machine identity token
+
+```yaml
+image: ubuntu
+
+stages:
+  - build
+
+build:
+  stage: build
+  script:
+    - apt update && apt install -y curl bash
+    - curl -1sLf 'https://artifacts-cli.infisical.com/setup.deb.sh' | bash
+    - apt-get install -y infisical
+    - export INFISICAL_TOKEN=$(infisical login --method=universal-auth
+        --client-id=$INFISICAL_CLIENT_ID
+        --client-secret=$INFISICAL_CLIENT_SECRET
+        --plain --silent)
+    - infisical run --projectId=$INFISICAL_PROJECT_ID --env=prod -- npm run build
+```
+
+Store `INFISICAL_CLIENT_ID` and `INFISICAL_CLIENT_SECRET` as GitLab CI/CD variables (Settings > CI/CD > Variables).
+
+### Option 2: OIDC auth (if GitLab supports it for your setup)
+
+GitLab CI can issue OIDC tokens via `CI_JOB_JWT` or `id_tokens`. Configure similarly to GitHub Actions — create a machine identity with OIDC auth, set the issuer to your GitLab instance, and use the JWT to authenticate.
+
+## Other CI/CD platforms
+
+For any CI platform, the pattern is:
+
+1. **Create a machine identity** with an appropriate auth method
+2. **Install the CLI** in the pipeline
+3. **Authenticate**: `infisical login --method=universal-auth --client-id=... --client-secret=... --plain --silent`
+4. **Inject secrets**: `infisical run -- <your-build-command>`
+
+If the CI platform supports OIDC (e.g., CircleCI, Bitbucket), prefer OIDC Auth for zero-secret integration. Otherwise, use Universal Auth with Client ID/Secret stored as CI variables.
+
+## Secret syncs (alternative approach)
+
+Instead of fetching secrets at build time, Infisical can sync secrets directly into your CI/CD platform's native secret store (e.g., GitLab CI/CD Variables). This is a one-way push configured in the Infisical dashboard. Useful if you don't want to install the CLI in your pipeline, but less flexible than runtime injection.
+
+## Security best practices for CI/CD
+
+- **Prefer OIDC over stored credentials** when possible — no secrets to rotate or leak
+- **Scope machine identities tightly** — give each pipeline its own identity with minimum permissions
+- **Use environment-specific identities** — don't let a staging pipeline access production secrets
+- **Pin CLI version** in CI to avoid surprises from upstream updates
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +node_modules/
 +.DS_Store
 +*.log
 +.env