feat: rsync-docker as first-party code, configureable strict host keys checking

2025-12-19 11:12:18 +01:00 · 2025-09-01 13:08:48 +00:00 · 2025-09-01 13:08:48 +00:00 · 9b1bf7278e
commit 9b1bf7278e
parent 92961b5880
11 changed files with 128 additions and 14 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,5 @@
+Dockerfile
+LICENSE
+*.md
+.git*
+.github*
--- a/.editorconfig
+++ b/.editorconfig
@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+tab_width = 4
+indent_size = 4
+indent_style = space
+max_line_length = 9999
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{yml,yaml}]
+tab_width = 2
+indent_size = 2
--- a/13
+++ b/13
@ -1,11 +1,14 @@
-# drinternet/rsync@v1.5.1
-FROM drinternet/rsync@sha256:e61f4047577b566872764fa39299092adeab691efb3884248dbd6495dc926527
+FROM alpine:3.22.1 as base
+
+RUN apk update && apk add --no-cache --upgrade rsync openssh-client openssl

-# always force-upgrade rsync to get the latest security fixes
-RUN apk update && apk add --no-cache --upgrade rsync openssl
 RUN rm -rf /var/cache/apk/*

-# Copy entrypoint
+COPY docker-rsync/* /bin/
+RUN chmod +x /bin/agent-* /bin/hosts-*
+
+FROM base as build
+
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

--- a/1
+++ b/1
@ -1,6 +1,7 @@
 MIT License

 Copyright (c) 2019-2022 Contention
+Copyright (c) 2019-2025 Joshua Piper (Dr Internet)
 Copyright (c) 2019-2025 Burnett01

 Permission is hereby granted, free of charge, to any person obtaining a copy
--- a/action.yml
+++ b/action.yml
@ -13,6 +13,10 @@ inputs:
    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
    required: false
    default: 'false'
+  strict_hostkeys_checking:
+    description: 'Controls strict host keys checking'
+    required: false
+    default: 'false'
  path:
    description: 'The local path'
    required: false
--- a/docker-rsync/agent-add
+++ b/docker-rsync/agent-add
@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -euo pipefail
+
+source agent-start "${1:-default}"
+cat - | tr -d '\r' | DISPLAY=1 SSH_ASKPASS=agent-askpass ssh-add - >/dev/null
--- a/docker-rsync/agent-askpass
+++ b/docker-rsync/agent-askpass
@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+echo "$SSH_PASS"
--- a/docker-rsync/agent-start
+++ b/docker-rsync/agent-start
@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -euo pipefail
+
+FOLDER=${1:-default}
+STORE_PATH="/tmp/ssh-agent/$FOLDER"
+mkdir -p "$STORE_PATH"
+
+if [ -z "$SSH_AGENT_PID" ]; then
+	if [ -f "$STORE_PATH/id" ]; then
+		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
+		export SSH_AGENT_PID
+
+		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
+		export SSH_AUTH_SOCK
+	else
+		eval "$(ssh-agent)" > /dev/null
+		echo "$SSH_AGENT_PID" > "$STORE_PATH"/id
+		echo "$SSH_AUTH_SOCK" > "$STORE_PATH"/sock
+	fi
+fi
--- a/docker-rsync/agent-stop
+++ b/docker-rsync/agent-stop
@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -euo pipefail
+
+if [ ! -z "$SSH_AGENT_PID" ]; then
+	# Here, the environment is set already, just kill the script.
+	eval $(ssh-agent -k) >/dev/null
+	exit $?
+else
+	# The env isn't set, construct the file path.
+	FOLDER=${1:-default}
+	STORE_PATH="/tmp/ssh-agent/$FOLDER"
+	if [ ! -d "$STORE_PATH" ]; then
+		echo "Store Path $STORE_PATH doesn't exist!" >&2
+		exit 1
+	fi
+
+	# And check our files exist.
+	if [ -f "$STORE_PATH/id" ]; then
+		# Grab our PID and socket.
+		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
+		export SSH_AGENT_PID
+		rm "$STORE_PATH/id"
+
+		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
+		export SSH_AUTH_SOCK
+		rm "$STORE_PATH/sock"
+
+
+		rmdir "$STORE_PATH"
+		eval $(ssh-agent -k) >/dev/null
+		exit $?
+	else
+		echo "SSH_AGENT_PID not set, $STORE_PATH/id doesn't exist!" >&2
+		exit 1
+	fi
+fi
--- a/docker-rsync/ssh-init
+++ b/docker-rsync/ssh-init
@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+mkdir -m 700 ~/.ssh
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,25 +1,37 @@
 #!/bin/sh

+set -euo pipefail
+
 if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
    echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
    exit 1
 fi

+# Initialize SSH and known hosts.
+source ssh-init
+
 # Start the SSH agent and load key.
 source agent-start "$GITHUB_ACTION"
-echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
-
-# Add strict errors.
-set -eu
+printf '%s' "$INPUT_REMOTE_KEY" | SSH_PASS="${INPUT_REMOTE_KEY_PASS}" agent-add >/dev/null 2>&1

 # Variables.
+LEGACY_RSA_HOSTKEYS=""
+if [ "${INPUT_LEGACY_ALLOW_RSA_HOSTKEYS:-false}" = "true" ]; then
    LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
-LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
+fi

-SWITCHES="$INPUT_SWITCHES"
-RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
+STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=no"
+if [ "${INPUT_STRICT_HOSTKEYS_CHECKING:-false}" = "true" ]; then
+    STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=yes"
+fi
+
+RSH="ssh $STRICT_HOSTKEYS_CHECKING $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
 LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
 DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"

 # Deploy.
-sh -c "rsync $SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
+exec rsync "$INPUT_SWITCHES" -e "'$RSH'" "$LOCAL_PATH" "$DSN:$INPUT_REMOTE_PATH"
+
+# Clean up.
+source agent-stop "$GITHUB_ACTION"
+