client: add one-line installer and its CDN publish workflow

[armcconnell]

Summary of Changes

• Add client/install.sh — the curl … | bash installer served at https://get.doublezero.xyz/install. It checks for Docker (offering to install it), preps the host for GRE (tun/ip_gre modules, firewall + cloud-firewall warnings), prompts for environment and keypair, runs the thin doublezero client container with the right capabilities, and connects.
• Add release.install-script.yml — on pushes to main touching the script, it uploads install.sh to the doublezero-install S3 bucket and invalidates CloudFront, authenticating via GitHub OIDC into a main-only deploy role (no static keys).
• Mounts the user's keypair read-only to the client's default path, and persists the chosen environment so client and daemon stay in lockstep.

The S3/CloudFront hosting infrastructure is documented in the infra repo runbook (install-script-hosting.md).

Diff Breakdown

Category	Files	Lines (+/-)	Net
Core logic	1	+220 / -0	+220
CI/build	1	+43 / -0	+43
Total	2	+263 / -0	+263

Two additive files: the installer (a self-contained bash script) and a small OIDC publish workflow; no application code touched.

Key files (click to expand)

• client/install.sh — host-side installer: preconditions (Linux/amd64/root), Docker detect+install, GRE prep, cloud-firewall detection (AWS/GCP/Azure), keypair bind-mount with path validation + SELinux relabel, docker run with --network host/NET_ADMIN/NET_RAW//dev/net/tun, connect, and status. Reads prompts from /dev/tty so it works under curl | bash, and is fully overridable via env vars for non-interactive use.
• .github/workflows/release.install-script.yml — OIDC → S3 upload + CloudFront invalidation on main changes to the script (workflow_dispatch for manual republish).

Testing Verification

• Ran the installer end to end on a clean Ubuntu 24.04 amd64 EC2 host: Docker detection, GRE module prep, AWS cloud-firewall warning, keypair mount, container start, and doublezero status all worked; verified both the curl|bash (self-sudo) and sudo bash invocation paths, and NOPASSWD-sudo detection.
• Validated install.sh with bash -n and the workflow with actionlint (clean).
• Verified the hosting target out-of-band: https://get.doublezero.xyz/install is served by CloudFront (HTTP 200, text/x-shellscript, valid TLS). The deploy role + bucket + distribution already exist; the workflow's first real run happens on merge to main.

Notes for reviewers

• The workflow hardcodes non-secret infra IDs (account, role ARN, bucket, distribution) in its env: block rather than using secrets — they're not sensitive and are also captured in the infra runbook. Easy to switch to repo variables if preferred.
• This is the first AWS-OIDC workflow in the repo (existing id-token: write usages are for PyPI trusted publishing), so it introduces aws-actions/configure-aws-credentials.

[armcconnell]

Pre-merge validation:

1. Structure — act runs clean through checkout; fails only at configure-aws-credentials (act can't mint an OIDC token). No workflow errors.
2. Deploy path — ran the exact aws s3 cp + cloudfront create-invalidation against the real bucket/distribution; https://get.doublezero.xyz/install serves the script over HTTPS.
3. Auth — GitHub OIDC into a main-only role scoped to that one bucket + distribution. No AWS keys in GitHub.
4. OIDC end-to-end — validates on first run from main post-merge.