* fix: only attempt to create dir if not yet exists
On self-hosted runners it can happen that an action (docker container) is cached. This leads to the script trying to create the .ssh dir despite it already existing. The action then fails.
* fix: only attempt to create file if it doesn't exist yet
On self-hosted runners it can happen that an action (docker container) is cached, resulting in aborting this script because the know_hosts file already exists.
This if clause fixes it.
Setting permissions is intentionally outside the if clause because in all cases we want to reset perms.
* fix: reverting printf in favor of echo
Like in commit 2c22263 we are using echo again instead of printf because some runners can't function properly with it.
* chore: 8.0.2
* chore: readme changes
It was found via #90 and #89 that using printf causes problems.
In the previous version 7.1.0 we used echo instead of printf - hence we are bringing this back for version 8.0.x
* feat: latest Alpine 3.23.0
* feat: latest Rsync 3.4.1-r1
* feat: integrate [rsync-docker](https://github.com/JoshPiper/rsync-docker/) 3rd party into this action as 1st party code (no more dependency, better audit, single source of truth)
- backported:
- agent-start
- agent-stop
- agent-askpass
- agent-add
- hosts-add
- hosts-clear
- new added:
- ssh-init
- hosts-init
- improved:
- stricter permissions on .ssh/ folder (700) and known_hosts (600)
- use set -eu in all scipts
* feat: new ``strict_host_keys`` option to enable support for strict host key verification. Default: false (to keep backward compatibility)
* feat: new ``debug`` option to see the commands executed (-x) by this action
* feat: this action is now scanned for vulnerabilities by Snyk
* feat; this action is now scanned by CodeQL for Q/A
* feat: this action now performs CI tasks such as Validation, Linting and Unit Tests
* fix: various shell syntax for robustness
* fix: use printf and redirect output to non-stdout instead of echo in sensitive code locations
* refactor: use $HOME instead of tilde ~ for robustness
* feat: cross-platform support
* chore: Deprecate 7.0.2
* chore: EOL 7.0.0 & 7.0.1
* chore: Add comprehensive SSH troubleshooting section to README
* chore: Enhance README with rsync documentation link, SSH key guide
* chore: further enrich readme with more troubleshooting + change secrets name from DEPLOY_* to REMOTE_*
* chore: Added a new section for versions and updated heading formatting.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Burnett01 <1208707+Burnett01@users.noreply.github.com>
Co-authored-by: sovetski
Discovered by Code scanning alert no. 6: Workflow does not contain permissions (#78)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
The latest rsync version 3.4.0 fixes a wide variety of CVE's:
CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
CVE-2024-12086 - Server leaks arbitrary client files.
CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
CVE-2024-12088 - --safe-links Bypass.
CVE-2024-12747 - symlink race condition.
See their press release: https://download.samba.org/pub/rsync/NEWS#3.4.0
The latest action version 7.0.2 is using rsync 3.4.0, so please use that.
- Pin @JoshPiper [drinternet/rsync](https://github.com/JoshPiper/rsync-docker) image by SHA-256 hash rather than version. (Immutability)
Added via #60
The docker image of this action is now pinned to the specific SHA-256 hash of the version rather than just the version.
This means for the latest `drinternet/rsync:v1.4.4` the corresponding hash is `drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234`
Check for validation: https://hub.docker.com/layers/drinternet/rsync/v1.4.4/images/sha256-15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
With that, usage of this action is even more secure due to a consistent dependency chain of trust,
since changes accompanied by a docker image hash are immutable.
Thanks to @XComp
- All versions 4.x are now EOL and no longer maintained
- All versions 5.x are now DEPRECATED and will become EOL within Q2 2024
- All versions 6.x are now MAINTENANCE and will become DEPRECATED within Q4 2024
