diff --git a/.github/workflows/run-cli-smoke-tests.yml b/.github/workflows/run-cli-smoke-tests.yml
new file mode 100644
index 00000000..8c64a15d
--- /dev/null
+++ b/.github/workflows/run-cli-smoke-tests.yml
@@ -0,0 +1,118 @@
+name: CLI Distro Smoke Tests
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - "**.go"
+      - "go.mod"
+      - "go.sum"
+      - ".goreleaser.yaml"
+      - "smoke-tests/**"
+      - ".github/workflows/run-cli-smoke-tests.yml"
+
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build CLI + packages
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+
+      - name: Set up Go
+        uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
+        with:
+          go-version: "1.25.9"
+
+      - name: Build static binary
+        run: |
+          CGO_ENABLED=0 go build -trimpath \
+            -ldflags "-X github.com/Infisical/infisical-merge/packages/util.CLI_VERSION=0.0.0-smoke" \
+            -o infisical .
+
+      - name: Install nfpm
+        run: |
+          go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.46.3
+
+      - name: Create packages
+        run: |
+          mkdir -p smoke-tests/dist
+          nfpm package --config smoke-tests/nfpm.yaml --packager deb --target smoke-tests/dist/infisical.deb
+          nfpm package --config smoke-tests/nfpm.yaml --packager rpm --target smoke-tests/dist/infisical.rpm
+          nfpm package --config smoke-tests/nfpm.yaml --packager apk --target smoke-tests/dist/infisical.apk
+          nfpm package --config smoke-tests/nfpm.yaml --packager archlinux --target smoke-tests/dist/infisical.pkg.tar.zst
+
+      - name: Upload packages
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: smoke-test-packages
+          path: |
+            smoke-tests/dist/
+            smoke-tests/smoke.sh
+          retention-days: 1
+
+  smoke-test:
+    name: ${{ matrix.distro }}
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - distro: ubuntu-22.04
+            image: ubuntu:22.04
+            pkg: infisical.deb
+            install: "dpkg -i"
+
+          - distro: ubuntu-24.04
+            image: ubuntu:24.04
+            pkg: infisical.deb
+            install: "dpkg -i"
+
+          - distro: debian-12
+            image: debian:12
+            pkg: infisical.deb
+            install: "dpkg -i"
+
+          - distro: fedora-40
+            image: fedora:40
+            pkg: infisical.rpm
+            install: "rpm -i"
+
+          - distro: rockylinux-9
+            image: rockylinux:9
+            pkg: infisical.rpm
+            install: "rpm -i"
+
+          - distro: amazonlinux-2023
+            image: amazonlinux:2023
+            pkg: infisical.rpm
+            install: "rpm -i"
+
+          - distro: alpine-3.20
+            image: alpine:3.20
+            pkg: infisical.apk
+            install: "apk add --allow-untrusted"
+
+          - distro: archlinux
+            image: archlinux:latest
+            pkg: infisical.pkg.tar.zst
+            install: "pacman -U --noconfirm"
+
+    steps:
+      - name: Download packages
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: smoke-test-packages
+          path: artifacts
+
+      - name: Run smoke tests on ${{ matrix.distro }}
+        run: |
+          chmod +x artifacts/smoke.sh
+          docker run --rm \
+            -v "${{ github.workspace }}/artifacts/dist:/dist" \
+            -v "${{ github.workspace }}/artifacts/smoke.sh:/smoke.sh" \
+            ${{ matrix.image }} \
+            sh -c "${{ matrix.install }} /dist/${{ matrix.pkg }} && /smoke.sh"
diff --git a/smoke-tests/nfpm.yaml b/smoke-tests/nfpm.yaml
new file mode 100644
index 00000000..a41149e0
--- /dev/null
+++ b/smoke-tests/nfpm.yaml
@@ -0,0 +1,12 @@
+name: infisical
+arch: amd64
+platform: linux
+version: v0.0.0-smoke
+maintainer: "Infisical, Inc"
+description: "The official Infisical CLI"
+homepage: "https://infisical.com/"
+license: MIT
+
+contents:
+  - src: ./infisical
+    dst: /usr/bin/infisical
diff --git a/smoke-tests/smoke.sh b/smoke-tests/smoke.sh
new file mode 100755
index 00000000..b9601ed5
--- /dev/null
+++ b/smoke-tests/smoke.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+set -e
+
+DISTRO="unknown"
+if [ -f /etc/os-release ]; then
+  DISTRO=$(. /etc/os-release && echo "$PRETTY_NAME")
+fi
+
+echo "=== CLI Smoke Tests ==="
+echo "Distro: $DISTRO"
+echo "Arch:   $(uname -m)"
+echo ""
+
+passed=0
+failed=0
+
+pass() {
+  passed=$((passed + 1))
+  echo "PASS: $1"
+}
+
+fail() {
+  failed=$((failed + 1))
+  echo "FAIL: $1"
+}
+
+if ! command -v infisical >/dev/null 2>&1; then
+  fail "infisical binary not found in PATH"
+  exit 1
+fi
+pass "binary found at $(command -v infisical)"
+
+# --version
+if output=$(infisical --version 2>&1); then
+  pass "--version ($output)"
+else
+  fail "--version exited with $?"
+fi
+
+# --help
+if infisical --help >/dev/null 2>&1; then
+  pass "--help"
+else
+  fail "--help"
+fi
+
+# core subcommands
+for cmd in secrets run export login agent gateway; do
+  if infisical "$cmd" --help >/dev/null 2>&1; then
+    pass "$cmd --help"
+  else
+    fail "$cmd --help"
+  fi
+done
+
+# shared library check
+BINARY_PATH=$(command -v infisical)
+if command -v ldd >/dev/null 2>&1; then
+  ldd_output=$(ldd "$BINARY_PATH" 2>&1 || true)
+  if echo "$ldd_output" | grep -qi "not a dynamic executable\|statically linked\|not a valid dynamic program"; then
+    pass "static binary (no dynamic dependencies)"
+  elif echo "$ldd_output" | grep -qi "not found"; then
+    fail "missing shared libraries"
+    echo "$ldd_output"
+  else
+    pass "no missing shared libraries"
+  fi
+fi
+
+echo ""
+echo "Results: $passed passed, $failed failed"
+
+if [ "$failed" -gt 0 ]; then
+  exit 1
+fi