feat: rsync-docker as first-party code, configureable strict host keys checking

2025-12-19 11:12:18 +01:00 · 2025-09-01 13:08:48 +00:00 · 2025-09-01 13:08:48 +00:00 · 9b1bf7278e
commit 9b1bf7278e
parent 92961b5880
11 changed files with 128 additions and 14 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,5 @@
 Dockerfile
 LICENSE
 *.md
 .git*
 .github*
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,15 @@
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 tab_width = 4
 indent_size = 4
 indent_style = space
 max_line_length = 9999
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.{yml,yaml}]
 tab_width = 2
 indent_size = 2
--- a/13
+++ b/13
@ -1,11 +1,14 @@
-# drinternet/rsync@v1.5.1
+FROM alpine:3.22.1 as base
-FROM drinternet/rsync@sha256:e61f4047577b566872764fa39299092adeab691efb3884248dbd6495dc926527
+
 RUN apk update && apk add --no-cache --upgrade rsync openssh-client openssl
 # always force-upgrade rsync to get the latest security fixes
 RUN apk update && apk add --no-cache --upgrade rsync openssl
 RUN rm -rf /var/cache/apk/*
-# Copy entrypoint
+COPY docker-rsync/* /bin/
 RUN chmod +x /bin/agent-* /bin/hosts-*
 FROM base as build
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 MIT License
 Copyright (c) 2019-2022 Contention
 Copyright (c) 2019-2025 Joshua Piper (Dr Internet)
 Copyright (c) 2019-2025 Burnett01
 Permission is hereby granted, free of charge, to any person obtaining a copy
--- a/action.yml
+++ b/action.yml
@ -13,6 +13,10 @@ inputs:
    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
    required: false
    default: 'false'
  strict_hostkeys_checking:
    description: 'Controls strict host keys checking'
    required: false
    default: 'false'
  path:
    description: 'The local path'
    required: false
--- a/docker-rsync/agent-add
+++ b/docker-rsync/agent-add
@ -0,0 +1,6 @@
 #!/bin/sh
 set -euo pipefail
 source agent-start "${1:-default}"
 cat - | tr -d '\r' | DISPLAY=1 SSH_ASKPASS=agent-askpass ssh-add - >/dev/null
--- a/docker-rsync/agent-askpass
+++ b/docker-rsync/agent-askpass
@ -0,0 +1,5 @@
 #!/bin/sh
 set -euo pipefail
 echo "$SSH_PASS"
--- a/docker-rsync/agent-start
+++ b/docker-rsync/agent-start
@ -0,0 +1,21 @@
 #!/bin/sh
 set -euo pipefail
 FOLDER=${1:-default}
 STORE_PATH="/tmp/ssh-agent/$FOLDER"
 mkdir -p "$STORE_PATH"
 if [ -z "$SSH_AGENT_PID" ]; then
 	if [ -f "$STORE_PATH/id" ]; then
 		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
 		export SSH_AGENT_PID
 		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
 		export SSH_AUTH_SOCK
 	else
 		eval "$(ssh-agent)" > /dev/null
 		echo "$SSH_AGENT_PID" > "$STORE_PATH"/id
 		echo "$SSH_AUTH_SOCK" > "$STORE_PATH"/sock
 	fi
 fi
--- a/docker-rsync/agent-stop
+++ b/docker-rsync/agent-stop
@ -0,0 +1,37 @@
 #!/bin/sh
 set -euo pipefail
 if [ ! -z "$SSH_AGENT_PID" ]; then
 	# Here, the environment is set already, just kill the script.
 	eval $(ssh-agent -k) >/dev/null
 	exit $?
 else
 	# The env isn't set, construct the file path.
 	FOLDER=${1:-default}
 	STORE_PATH="/tmp/ssh-agent/$FOLDER"
 	if [ ! -d "$STORE_PATH" ]; then
 		echo "Store Path $STORE_PATH doesn't exist!" >&2
 		exit 1
 	fi
 	# And check our files exist.
 	if [ -f "$STORE_PATH/id" ]; then
 		# Grab our PID and socket.
 		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
 		export SSH_AGENT_PID
 		rm "$STORE_PATH/id"
 		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
 		export SSH_AUTH_SOCK
 		rm "$STORE_PATH/sock"
 		rmdir "$STORE_PATH"
 		eval $(ssh-agent -k) >/dev/null
 		exit $?
 	else
 		echo "SSH_AGENT_PID not set, $STORE_PATH/id doesn't exist!" >&2
 		exit 1
 	fi
 fi
--- a/docker-rsync/ssh-init
+++ b/docker-rsync/ssh-init
@ -0,0 +1,5 @@
 #!/bin/sh
 set -euo pipefail
 mkdir -m 700 ~/.ssh
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,25 +1,37 @@
 #!/bin/sh
 set -euo pipefail
 if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
    echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
    exit 1
 fi
 # Initialize SSH and known hosts.
 source ssh-init
 # Start the SSH agent and load key.
 source agent-start "$GITHUB_ACTION"
-echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
+printf '%s' "$INPUT_REMOTE_KEY" | SSH_PASS="${INPUT_REMOTE_KEY_PASS}" agent-add >/dev/null 2>&1
 # Add strict errors.
 set -eu
 # Variables.
 LEGACY_RSA_HOSTKEYS=""
 if [ "${INPUT_LEGACY_ALLOW_RSA_HOSTKEYS:-false}" = "true" ]; then
    LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
-LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
+fi
-SWITCHES="$INPUT_SWITCHES"
+STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=no"
-RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
+if [ "${INPUT_STRICT_HOSTKEYS_CHECKING:-false}" = "true" ]; then
    STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=yes"
 fi
 RSH="ssh $STRICT_HOSTKEYS_CHECKING $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
 LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
 DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"
 # Deploy.
-sh -c "rsync $SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
+exec rsync "$INPUT_SWITCHES" -e "'$RSH'" "$LOCAL_PATH" "$DSN:$INPUT_REMOTE_PATH"
 # Clean up.
 source agent-stop "$GITHUB_ACTION"