fix: streamline APKINDEX generation and signing process

[victorvhs017]

Description 📣

• Generate and sign APKINDEX.tar.gz using Alpine container with abuild-sign
• Use --allow-untrusted for index generation (matches Cloudsmith behavior - only index is signed, not individual packages)

Type ✨

• Bug fix
• New feature
• Improvement
• Breaking change
• Documentation

---

• I have read the contributing guide, agreed and acknowledged the code of conduct. 📝

[greptile-apps]

Greptile Overview

Greptile Summary

This PR refactors the APKINDEX generation process to use a cleaner, more maintainable approach. The key changes include:

• Extracted duplicate APKINDEX generation code for x86_64 and aarch64 into a reusable process_arch() function
• Added --allow-untrusted flag to apk index command to support nFPM-generated packages that aren't individually signed with Alpine tools
• Improved documentation explaining that only the APKINDEX is signed (containing package checksums), not individual APK files, which matches Cloudsmith's behavior

The refactoring improves code maintainability by eliminating duplication and makes the architecture handling more scalable.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are a straightforward refactoring that improves code organization without altering core functionality. The addition of --allow-untrusted properly addresses the nFPM package signing model, and the function extraction reduces code duplication while maintaining the same behavior. No security concerns or breaking changes were identified.
• No files require special attention

Important Files Changed

Filename	Overview
upload_to_cloudsmith.sh	Refactored APKINDEX generation into a reusable function and added --allow-untrusted flag for nFPM-generated packages. Improved code organization with clear documentation.

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}