* feat: latest Alpine 3.23.0
* feat: latest Rsync 3.4.1-r1
* feat: integrate [rsync-docker](https://github.com/JoshPiper/rsync-docker/) 3rd party into this action as 1st party code (no more dependency, better audit, single source of truth)
- backported:
- agent-start
- agent-stop
- agent-askpass
- agent-add
- hosts-add
- hosts-clear
- new added:
- ssh-init
- hosts-init
- improved:
- stricter permissions on .ssh/ folder (700) and known_hosts (600)
- use set -eu in all scipts
* feat: new ``strict_host_keys`` option to enable support for strict host key verification. Default: false (to keep backward compatibility)
* feat: new ``debug`` option to see the commands executed (-x) by this action
* feat: this action is now scanned for vulnerabilities by Snyk
* feat; this action is now scanned by CodeQL for Q/A
* feat: this action now performs CI tasks such as Validation, Linting and Unit Tests
* fix: various shell syntax for robustness
* fix: use printf and redirect output to non-stdout instead of echo in sensitive code locations
* refactor: use $HOME instead of tilde ~ for robustness
* feat: cross-platform support
* chore: Deprecate 7.0.2
* chore: EOL 7.0.0 & 7.0.1
* chore: Add comprehensive SSH troubleshooting section to README
* chore: Enhance README with rsync documentation link, SSH key guide
* chore: further enrich readme with more troubleshooting + change secrets name from DEPLOY_* to REMOTE_*
* chore: Added a new section for versions and updated heading formatting.
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Burnett01 <1208707+Burnett01@users.noreply.github.com>
Co-authored-by: sovetski
Discovered by Code scanning alert no. 6: Workflow does not contain permissions (#78)
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
The latest rsync version 3.4.0 fixes a wide variety of CVE's:
CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
CVE-2024-12086 - Server leaks arbitrary client files.
CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
CVE-2024-12088 - --safe-links Bypass.
CVE-2024-12747 - symlink race condition.
See their press release: https://download.samba.org/pub/rsync/NEWS#3.4.0
The latest action version 7.0.2 is using rsync 3.4.0, so please use that.
- Pin @JoshPiper [drinternet/rsync](https://github.com/JoshPiper/rsync-docker) image by SHA-256 hash rather than version. (Immutability)
Added via #60
The docker image of this action is now pinned to the specific SHA-256 hash of the version rather than just the version.
This means for the latest `drinternet/rsync:v1.4.4` the corresponding hash is `drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234`
Check for validation: https://hub.docker.com/layers/drinternet/rsync/v1.4.4/images/sha256-15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
With that, usage of this action is even more secure due to a consistent dependency chain of trust,
since changes accompanied by a docker image hash are immutable.
Thanks to @XComp
- All versions 4.x are now EOL and no longer maintained
- All versions 5.x are now DEPRECATED and will become EOL within Q2 2024
- All versions 6.x are now MAINTENANCE and will become DEPRECATED within Q4 2024
- It is no longer possible to use an empty string as remote_path (Fixes#44) (Thanks to @maximilliangeorge)
- Updated checkout action in examples from v2 to v3
- Added disclaimer to media site-links
- Overall readme improvements
