Merge pull request #69 from Burnett01/release/7.0.2

Release/7.0.2

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly

CODE_OF_CONDUCT.md

@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team via issues. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq

CONTRIBUTING.md

@@ -0,0 +1 @@
+Feel free to contribute to this project.

Dockerfile

@@ -1,12 +1,12 @@
-FROM ubuntu:latest
+# drinternet/rsync@v1.4.4
+FROM drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
 
-# Update
-RUN apt-get update
-
-# Install packages
-RUN apt-get -yq install rsync openssh-client
+# always force-upgrade rsync to get the latest security fixes
+RUN apk update && apk add --no-cache --upgrade rsync
+RUN rm -rf /var/cache/apk/*
 
 # Copy entrypoint
-ADD entrypoint.sh /entrypoint.sh
+COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
+
 ENTRYPOINT ["/entrypoint.sh"]

LICENSE

@@ -1,7 +1,7 @@
 MIT License
 
-Copyright (c) 2019 Contention
-Copyright (c) 2019 Burnett01
+Copyright (c) 2019-2022 Contention
+Copyright (c) 2019-2024 Burnett01
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,11 +1,13 @@
 # rsync deployments
 
-Forked from [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
+This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
 
+Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
 
-This GitHub Action deploys files in `GITHUB_WORKSPACE` to a folder on a server via rsync over ssh. 
+The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.19.1 (no cache) which results in fast deployments.
 
-Use this action in a build/test workflow which leaves deployable code in `GITHUB_WORKSPACE`.
+Alpine version: [3.19.1](https://alpinelinux.org/posts/Alpine-3.19.1-released.html)
+Rsync version: [3.4.0-r0](https://download.samba.org/pub/rsync/NEWS#3.4.0)
 
 ---
 
@@ -15,7 +17,9 @@ Use this action in a build/test workflow which leaves deployable code in `GITHUB
 
 - `rsh` - Remote shell commands
 
-- `path` - The source path. Defaults to GITHUB_WORKSPACE
+- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
+
+- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
 
 - `remote_path`* - The deployment target path
 
@@ -27,17 +31,25 @@ Use this action in a build/test workflow which leaves deployable code in `GITHUB
 
 - `remote_key`* - The remote ssh key
 
+- `remote_key_pass` - The remote ssh key passphrase (if any)
+
 ``* = Required``
 
-## Required secret
+## Required secret(s)
 
-This action needs a `DEPLOY_KEY` secret variable. This should be the private key part of a ssh key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. This should be set in the Github secrets section and then referenced as the  `remote_key` input.
+This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the  `remote_key` input.
+
+> Always use secrets when dealing with sensitive inputs!
+
+For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
+
+## Current Version: 7.0.2
 
 ## Example usage
 
 Simple:
 
-```
+```yml
 name: DEPLOY
 on:
   push:
@@ -48,9 +60,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@2.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete
         path: src/
@@ -62,20 +74,14 @@ jobs:
 
 Advanced:
 
-```
-name: DEPLOY
-on:
-  push:
-    branches:
-    - master
-
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@2.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete --exclude="" --include="" --filter=""
         path: src/
@@ -86,38 +92,162 @@ jobs:
         remote_key: ${{ secrets.DEPLOY_KEY }}
 ```
 
-For better security, I suggest you create additional secrets for remote_host, remote_port and remote_user inputs.
-
-```
-name: DEPLOY
-on:
-  push:
-    branches:
-    - master
+For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
 
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@2.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete
         path: src/
-        remote_path: /var/www/html/
+        remote_path: ${{ secrets.DEPLOY_PATH }}
         remote_host: ${{ secrets.DEPLOY_HOST }}
         remote_port: ${{ secrets.DEPLOY_PORT }}
         remote_user: ${{ secrets.DEPLOY_USER }}
         remote_key: ${{ secrets.DEPLOY_KEY }}
 ```
 
+If your private key is passphrase protected you should use:
+
+```yml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: rsync deployments
+      uses: burnett01/rsync-deployments@7.0.2
+      with:
+        switches: -avzr --delete
+        path: src/
+        remote_path: ${{ secrets.DEPLOY_PATH }}
+        remote_host: ${{ secrets.DEPLOY_HOST }}
+        remote_port: ${{ secrets.DEPLOY_PORT }}
+        remote_user: ${{ secrets.DEPLOY_USER }}
+        remote_key: ${{ secrets.DEPLOY_KEY }}
+        remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
+```
+
 ---
 
-## Version 1.0 (EOL)
+#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
 
-Looking for version 1.0?
+If your remote OpenSSH Server still uses RSA hostkeys, then you have to
+manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
+
+```yml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: rsync deployments
+      uses: burnett01/rsync-deployments@7.0.2
+      with:
+        switches: -avzr --delete
+        legacy_allow_rsa_hostkeys: "true"
+        path: src/
+        remote_path: ${{ secrets.DEPLOY_PATH }}
+        remote_host: ${{ secrets.DEPLOY_HOST }}
+        remote_port: ${{ secrets.DEPLOY_PORT }}
+        remote_user: ${{ secrets.DEPLOY_USER }}
+        remote_key: ${{ secrets.DEPLOY_KEY }}
+```
+
+See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
+
+---
+
+## Version 7.0.0 & 7.0.1 (DEPRECATED)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.0  (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.19.1)
+  
+---
+
+## Version 6.0 (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/6.0  (alpine 3.17.2)
+
+---
+
+## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/5.0  (alpine 3.11.x)
+- https://github.com/Burnett01/rsync-deployments/tree/5.1  (alpine 3.14.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2  (alpine 3.15.0)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.1  (alpine 3.16.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.2  (alpine 3.17.2)
+
+---
+
+## Version 4.0 & 4.1 (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/4.0
+- https://github.com/Burnett01/rsync-deployments/tree/4.1
+
+Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image.
+
+---
+
+## Version 3.0 (EOL)
+
+Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0
+
+Version 3.0 uses the ``alpine:latest`` base-image directly.<br>
+Consider upgrading to 4.0 that uses a docker-image ``drinternet/rsync:1.0.1`` that is<br>
+based on ``alpine:latest``and heavily optimized for rsync.
+
+## Version 2.0 (EOL)
+
+Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0
+
+Version 2.0 uses a larger base-image (``ubuntu:latest``).<br>
+Consider upgrading to 3.0 for even faster deployments.
+
+## Version 1.0 (EOL)
 
 Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0
 
 Please note that version 1.0 has reached end of life state.
+
+---
+
+## Acknowledgements
+
++ This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
++ Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
+
+---
+
+## Media
+
+This action was featured in multiple blogs across the globe:
+
+> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
+
+- https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
+
+- https://www.vektor-inc.co.jp/post/github-actions-deploy/
+
+- https://webpick.info/automatiser-avec-github-actions/
+
+- https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
+
+- https://jishuin.proginn.com/p/763bfbd38928
+
+- https://cloud.tencent.com/developer/article/1786522
+

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions are currently being supported with security updates:
+
+| Version | Supported          | Rsync version          |
+| ------- | ------------------ | ------------------ |
+| 7.0.2   | :white_check_mark: | >= 3.4.0 |
+| 7.0.1   | :warning: DEPRECATED | < 3.4.0 |
+| 7.0.0   | :warning: DEPRECATED | < 3.4.0|
+| 6.x   | :x: EOL |< 3.4.0|
+| 5.x   | :x: EOL |< 3.4.0|
+| 4.x   | :x: EOL |< 3.4.0|
+| 3.0   | :x: EOL |< 3.4.0|
+| 2.0   | :x: EOL               |< 3.4.0|
+| 1.0   | :x: EOL               |< 3.4.0|
+
+## Reporting a Vulnerability
+
+You can report a vulnerability by creating an issue.

action.yml

@@ -9,6 +9,10 @@ inputs:
     description: 'The remote shell argument'
     required: false
     default: ''
+  legacy_allow_rsa_hostkeys:
+    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
+    required: false
+    default: 'false'
   path:
     description: 'The local path'
     required: false
@@ -29,6 +33,10 @@ inputs:
   remote_key:
     description: 'The remote key'
     required: true
+  remote_key_pass:
+    description: 'The remote key passphrase'
+    required: false
+    default: ''
 runs:
   using: 'docker'
   image: 'Dockerfile'

entrypoint.sh

@@ -1,18 +1,25 @@
-#!/bin/bash
+#!/bin/sh
 
+if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
+    echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
+    exit 1
+fi
+
+# Start the SSH agent and load key.
+source agent-start "$GITHUB_ACTION"
+echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
+
+# Add strict errors.
 set -eu
 
-# Set deploy key
-SSH_PATH="$HOME/.ssh"
+# Variables.
+LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
 
-# Create .ssh dir if it doesn't exist
-[ -d "$SSH_PATH" ] || mkdir "$SSH_PATH"
+SWITCHES="$INPUT_SWITCHES"
+RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
+LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
+DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"
 
-# Place deploy_key into .ssh dir
-echo "$INPUT_REMOTE_KEY" > "$SSH_PATH/key"
-
-# Set r+w to user only
-chmod 600 "$SSH_PATH/key"
-
-# Do deployment
-sh -c "rsync $INPUT_SWITCHES -e 'ssh -i $SSH_PATH/key -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH' $GITHUB_WORKSPACE/$INPUT_PATH $INPUT_REMOTE_USER@$INPUT_REMOTE_HOST:$INPUT_REMOTE_PATH"
+# Deploy.
+sh -c "rsync $SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"