diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..31d2199
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+ - package-ecosystem: docker
+ directory: /
+ schedule:
+ interval: monthly
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000..a4ec36f
--- /dev/null
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,76 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+ advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+ address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+ professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team via issues. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see
+https://www.contributor-covenant.org/faq
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..167342d
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1 @@
+Feel free to contribute to this project.
diff --git a/Dockerfile b/Dockerfile
index e206465..0fe5c56 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,9 @@
-FROM drinternet/rsync:1.0.1
+# drinternet/rsync@v1.4.4
+FROM drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
+
+# always force-upgrade rsync to get the latest security fixes
+RUN apk update && apk add --no-cache --upgrade rsync
+RUN rm -rf /var/cache/apk/*
# Copy entrypoint
COPY entrypoint.sh /entrypoint.sh
diff --git a/LICENSE b/LICENSE
index 41554ec..3907af1 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,7 +1,7 @@
MIT License
-Copyright (c) 2019-2020 Contention
-Copyright (c) 2019-2020 Burnett01
+Copyright (c) 2019-2022 Contention
+Copyright (c) 2019-2024 Burnett01
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index f866d66..fc7be23 100644
--- a/README.md
+++ b/README.md
@@ -1,10 +1,13 @@
# rsync deployments
-This GitHub Action deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh.
+This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh.
Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
-The underlaying base-image of the docker-image is very small (Alpine (no cache)) which results in fast deployments.
+The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.19.1 (no cache) which results in fast deployments.
+
+Alpine version: [3.19.1](https://alpinelinux.org/posts/Alpine-3.19.1-released.html)
+Rsync version: [3.4.0-r0](https://download.samba.org/pub/rsync/NEWS#3.4.0)
---
@@ -14,7 +17,9 @@ The underlaying base-image of the docker-image is very small (Alpine (no cache))
- `rsh` - Remote shell commands
-- `path` - The source path. Defaults to GITHUB_WORKSPACE
+- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
+
+- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
- `remote_path`* - The deployment target path
@@ -26,17 +31,25 @@ The underlaying base-image of the docker-image is very small (Alpine (no cache))
- `remote_key`* - The remote ssh key
+- `remote_key_pass` - The remote ssh key passphrase (if any)
+
``* = Required``
-## Required secret
+## Required secret(s)
-This action needs a `DEPLOY_KEY` secret variable. This should be the private key part of a ssh key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. This should be set in the Github secrets section and then referenced as the `remote_key` input.
+This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the `remote_key` input.
+
+> Always use secrets when dealing with sensitive inputs!
+
+For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
+
+## Current Version: 7.0.2
## Example usage
Simple:
-```
+```yml
name: DEPLOY
on:
push:
@@ -47,9 +60,9 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: rsync deployments
- uses: burnett01/rsync-deployments@4.1
+ uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete
path: src/
@@ -61,14 +74,14 @@ jobs:
Advanced:
-```
+```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: rsync deployments
- uses: burnett01/rsync-deployments@4.1
+ uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete --exclude="" --include="" --filter=""
path: src/
@@ -79,31 +92,118 @@ jobs:
remote_key: ${{ secrets.DEPLOY_KEY }}
```
-For better security, I suggest you create additional secrets for remote_host, remote_port and remote_user inputs.
+For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
-```
+```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
- name: rsync deployments
- uses: burnett01/rsync-deployments@4.1
+ uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete
path: src/
- remote_path: /var/www/html/
+ remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
```
+If your private key is passphrase protected you should use:
+
+```yml
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: rsync deployments
+ uses: burnett01/rsync-deployments@7.0.2
+ with:
+ switches: -avzr --delete
+ path: src/
+ remote_path: ${{ secrets.DEPLOY_PATH }}
+ remote_host: ${{ secrets.DEPLOY_HOST }}
+ remote_port: ${{ secrets.DEPLOY_PORT }}
+ remote_user: ${{ secrets.DEPLOY_USER }}
+ remote_key: ${{ secrets.DEPLOY_KEY }}
+ remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
+```
+
---
-## Version 3.0
+#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
-Looking for version 3.0?
+If your remote OpenSSH Server still uses RSA hostkeys, then you have to
+manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
+
+```yml
+jobs:
+ deploy:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ - name: rsync deployments
+ uses: burnett01/rsync-deployments@7.0.2
+ with:
+ switches: -avzr --delete
+ legacy_allow_rsa_hostkeys: "true"
+ path: src/
+ remote_path: ${{ secrets.DEPLOY_PATH }}
+ remote_host: ${{ secrets.DEPLOY_HOST }}
+ remote_port: ${{ secrets.DEPLOY_PORT }}
+ remote_user: ${{ secrets.DEPLOY_USER }}
+ remote_key: ${{ secrets.DEPLOY_KEY }}
+```
+
+See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
+
+---
+
+## Version 7.0.0 & 7.0.1 (DEPRECATED)
+
+Check here:
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.0 (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.1 (alpine 3.19.1)
+
+---
+
+## Version 6.0 (EOL)
+
+Check here:
+
+- https://github.com/Burnett01/rsync-deployments/tree/6.0 (alpine 3.17.2)
+
+---
+
+## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
+
+Check here:
+
+- https://github.com/Burnett01/rsync-deployments/tree/5.0 (alpine 3.11.x)
+- https://github.com/Burnett01/rsync-deployments/tree/5.1 (alpine 3.14.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2 (alpine 3.15.0)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.1 (alpine 3.16.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.2 (alpine 3.17.2)
+
+---
+
+## Version 4.0 & 4.1 (EOL)
+
+Check here:
+
+- https://github.com/Burnett01/rsync-deployments/tree/4.0
+- https://github.com/Burnett01/rsync-deployments/tree/4.1
+
+Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image.
+
+---
+
+## Version 3.0 (EOL)
Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0
@@ -111,9 +211,7 @@ Version 3.0 uses the ``alpine:latest`` base-image directly.
Consider upgrading to 4.0 that uses a docker-image ``drinternet/rsync:1.0.1`` that is
based on ``alpine:latest``and heavily optimized for rsync.
-## Version 2.0
-
-Looking for version 2.0?
+## Version 2.0 (EOL)
Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0
@@ -122,8 +220,6 @@ Consider upgrading to 3.0 for even faster deployments.
## Version 1.0 (EOL)
-Looking for version 1.0?
-
Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0
Please note that version 1.0 has reached end of life state.
@@ -135,4 +231,23 @@ Please note that version 1.0 has reached end of life state.
+ This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
+ Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
+---
+
+## Media
+
+This action was featured in multiple blogs across the globe:
+
+> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
+
+- https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
+
+- https://www.vektor-inc.co.jp/post/github-actions-deploy/
+
+- https://webpick.info/automatiser-avec-github-actions/
+
+- https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
+
+- https://jishuin.proginn.com/p/763bfbd38928
+
+- https://cloud.tencent.com/developer/article/1786522
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..36f2e06
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+The following versions are currently being supported with security updates:
+
+| Version | Supported | Rsync version |
+| ------- | ------------------ | ------------------ |
+| 7.0.2 | :white_check_mark: | >= 3.4.0 |
+| 7.0.1 | :warning: DEPRECATED | < 3.4.0 |
+| 7.0.0 | :warning: DEPRECATED | < 3.4.0|
+| 6.x | :x: EOL |< 3.4.0|
+| 5.x | :x: EOL |< 3.4.0|
+| 4.x | :x: EOL |< 3.4.0|
+| 3.0 | :x: EOL |< 3.4.0|
+| 2.0 | :x: EOL |< 3.4.0|
+| 1.0 | :x: EOL |< 3.4.0|
+
+## Reporting a Vulnerability
+
+You can report a vulnerability by creating an issue.
diff --git a/action.yml b/action.yml
index d89ac9e..db35730 100644
--- a/action.yml
+++ b/action.yml
@@ -9,6 +9,10 @@ inputs:
description: 'The remote shell argument'
required: false
default: ''
+ legacy_allow_rsa_hostkeys:
+ description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
+ required: false
+ default: 'false'
path:
description: 'The local path'
required: false
@@ -29,6 +33,10 @@ inputs:
remote_key:
description: 'The remote key'
required: true
+ remote_key_pass:
+ description: 'The remote key passphrase'
+ required: false
+ default: ''
runs:
using: 'docker'
image: 'Dockerfile'
diff --git a/entrypoint.sh b/entrypoint.sh
index 6590803..b854a54 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,15 +1,23 @@
#!/bin/sh
+if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
+ echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
+ exit 1
+fi
+
# Start the SSH agent and load key.
source agent-start "$GITHUB_ACTION"
-echo "$INPUT_REMOTE_KEY" | agent-add
+echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
# Add strict errors.
set -eu
# Variables.
+LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
+
SWITCHES="$INPUT_SWITCHES"
-RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
+RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"