Revise Media section and add new pingback links

Updated section title and added media links.

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Action version**
+eg. 7.0.1
+
+**Runner OS+Version**
+eg. ubuntu-latest
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly

.github/workflows/ci-validating-linting-testing.yml

@@ -0,0 +1,165 @@
+# GitHub Actions CI workflow for rsync-deployments
+# This workflow validates the action on every push and pull request by:
+# - Running BATS tests for the entrypoint script
+# - Validating the action.yml definition
+# - Building and testing the Docker image
+# - Checking file structure and permissions
+# - Linting shell scripts
+# - Running a final integration check
+
+name: CI - Validating, Linting, Testing
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test BATS Suite
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install BATS
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y bats
+
+    - name: Run BATS tests
+      run: bats test/entrypoint.bats
+
+  validate-action:
+    runs-on: ubuntu-latest
+    name: Validate Action Definition
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Validate action.yml
+      run: |
+        # Check if action.yml exists and has required fields
+        if [ ! -f "action.yml" ]; then
+          echo "Error: action.yml not found"
+          exit 1
+        fi
+        
+        # Basic validation that action.yml contains required fields
+        python3 -c "
+        import yaml
+        import sys
+        
+        with open('action.yml', 'r') as f:
+            action = yaml.safe_load(f)
+        
+        required_fields = ['name', 'description', 'inputs', 'runs']
+        for field in required_fields:
+            if field not in action:
+                print(f'Missing required field: {field}')
+                sys.exit(1)
+        
+        # Check required inputs exist
+        required_inputs = ['switches', 'remote_path', 'remote_host', 'remote_user', 'remote_key']
+        for input_name in required_inputs:
+            if input_name not in action['inputs']:
+                print(f'Missing required input: {input_name}')
+                sys.exit(1)
+            if not action['inputs'][input_name].get('required', False):
+                print(f'Input {input_name} should be marked as required')
+                sys.exit(1)
+        
+        print('Action definition is valid')
+        "
+
+  docker-build:
+    runs-on: ubuntu-latest
+    name: Build Docker Image
+    needs: [validate-action, action-structure]
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker image
+      run: |
+        echo "Building Docker image..."
+        docker build -t rsync-deployments . --no-cache
+        echo "Docker image built successfully"
+
+  action-structure:
+    runs-on: ubuntu-latest
+    name: Validate Action Structure
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Check required files
+      run: |
+        echo "Checking required files exist..."
+        
+        # Check all required files exist
+        required_files=("action.yml" "Dockerfile" "entrypoint.sh")
+        for file in "${required_files[@]}"; do
+          if [ ! -f "$file" ]; then
+            echo "Error: Required file $file not found"
+            exit 1
+          fi
+          echo "✓ $file exists"
+        done
+        
+        # Check entrypoint is executable
+        if [ ! -x "entrypoint.sh" ]; then
+          echo "Error: entrypoint.sh is not executable"
+          exit 1
+        fi
+        echo "✓ entrypoint.sh is executable"
+        
+        # Check basic script syntax
+        bash -n entrypoint.sh
+        echo "✓ entrypoint.sh has valid syntax"
+        
+        echo "All structure checks passed!"
+
+  lint-shell:
+    runs-on: ubuntu-latest
+    name: Lint Shell Scripts
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install ShellCheck
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y shellcheck
+
+    - name: Lint entrypoint.sh
+      run: |
+        echo "Linting shell scripts..."
+        # Run shellcheck with exclusions for Docker-specific dependencies
+        shellcheck -e SC1091 -e SC3046 entrypoint.sh || {
+          echo "ShellCheck found issues, but running with Docker-specific exclusions..."
+          shellcheck -e SC1091 -e SC3046 entrypoint.sh
+        }
+        echo "Shell script linting completed"
+
+  integration-check:
+    runs-on: ubuntu-latest
+    name: Integration Check
+    needs: [test, validate-action, docker-build, action-structure, lint-shell]
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Final integration check
+      run: |
+        echo "All CI jobs completed successfully!"
+        echo "✅ BATS tests passed"
+        echo "✅ Action definition validated"
+        echo "✅ Docker image built and tested"
+        echo "✅ File structure validated"
+        echo "✅ Shell scripts linted"
+        echo ""
+        echo "🎉 rsync-deployments action is ready for use!"

.github/workflows/snyk-docker-vulnerability-scan.yml

@@ -0,0 +1,36 @@
+name: Snyk Docker Vulnerability Scan
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '39 13 * * 4'
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build a Docker image
+      run: docker build -t burnett01/rsync-deployments .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: burnett01/rsync-deployments
+        args: --file=Dockerfile
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: snyk.sarif

Dockerfile

@@ -1,4 +1,9 @@
-FROM drinternet/rsync:v1.2.0
+# drinternet/rsync@v1.5.1
+FROM drinternet/rsync@sha256:e61f4047577b566872764fa39299092adeab691efb3884248dbd6495dc926527
+
+# always force-upgrade rsync to get the latest security fixes
+RUN apk update && apk add --no-cache --upgrade rsync
+RUN rm -rf /var/cache/apk/*
 
 # Copy entrypoint
 COPY entrypoint.sh /entrypoint.sh

LICENSE

@@ -1,7 +1,7 @@
 MIT License
 
-Copyright (c) 2019-2021 Contention
-Copyright (c) 2019-2021 Burnett01
+Copyright (c) 2019-2022 Contention
+Copyright (c) 2019-2025 Burnett01
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,10 +1,19 @@
 # rsync deployments
 
-This GitHub Action deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
+[![CI - Validating, Linting, Testing](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml) 
+[![Snyk Docker Vulnerability Scan](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml) 
+[![CodeQL](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql) 
+[![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates)
+
+
+This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
 
 Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
 
-The underlaying base-image of the docker-image is very small (Alpine (no cache)) which results in fast deployments.
+The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.22.1 (no cache) which results in fast deployments.
+
+Alpine version: [3.22.1](https://alpinelinux.org/posts/Alpine-3.19.8-3.20.7-3.21.4-3.22.1-released.html)
+Rsync version: [3.4.1-r0](https://download.samba.org/pub/rsync/NEWS#3.4.1)
 
 ---
 
@@ -14,7 +23,9 @@ The underlaying base-image of the docker-image is very small (Alpine (no cache))
 
 - `rsh` - Remote shell commands
 
-- `path` - The source path. Defaults to GITHUB_WORKSPACE
+- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
+
+- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
 
 - `remote_path`* - The deployment target path
 
@@ -38,11 +49,13 @@ This action needs secret variables for the ssh private key of your key pair. The
 
 For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
 
+## Current Version: 7.1.0
+
 ## Example usage
 
 Simple:
 
-```
+```yml
 name: DEPLOY
 on:
   push:
@@ -53,9 +66,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.1.0
       with:
         switches: -avzr --delete
         path: src/
@@ -67,14 +80,14 @@ jobs:
 
 Advanced:
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.1.0
       with:
         switches: -avzr --delete --exclude="" --include="" --filter=""
         path: src/
@@ -87,14 +100,14 @@ jobs:
 
 For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.1.0
       with:
         switches: -avzr --delete
         path: src/
@@ -107,14 +120,14 @@ jobs:
 
 If your private key is passphrase protected you should use:
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.1.0
       with:
         switches: -avzr --delete
         path: src/
@@ -125,11 +138,75 @@ jobs:
         remote_key: ${{ secrets.DEPLOY_KEY }}
         remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
 ```
+
 ---
 
-## Version 4.0 & 4.1
+#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
 
-Looking for version 4.0 and 4.1?
+If your remote OpenSSH Server still uses RSA hostkeys, then you have to
+manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
+
+```yml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: rsync deployments
+      uses: burnett01/rsync-deployments@7.1.0
+      with:
+        switches: -avzr --delete
+        legacy_allow_rsa_hostkeys: "true"
+        path: src/
+        remote_path: ${{ secrets.DEPLOY_PATH }}
+        remote_host: ${{ secrets.DEPLOY_HOST }}
+        remote_port: ${{ secrets.DEPLOY_PORT }}
+        remote_user: ${{ secrets.DEPLOY_USER }}
+        remote_key: ${{ secrets.DEPLOY_KEY }}
+```
+
+See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
+
+---
+
+## Version 7.0.2
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.2  (alpine 3.19.1)
+  
+---
+
+## Version 7.0.0 & 7.0.1 (DEPRECATED)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.0  (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.19.1)
+  
+---
+
+## Version 6.0 (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/6.0  (alpine 3.17.2)
+
+---
+
+## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/5.0  (alpine 3.11.x)
+- https://github.com/Burnett01/rsync-deployments/tree/5.1  (alpine 3.14.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2  (alpine 3.15.0)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.1  (alpine 3.16.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.2  (alpine 3.17.2)
+
+---
+
+## Version 4.0 & 4.1 (EOL)
 
 Check here: 
 
@@ -140,9 +217,7 @@ Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image.
 
 ---
 
-## Version 3.0
-
-Looking for version 3.0?
+## Version 3.0 (EOL)
 
 Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0
 
@@ -152,8 +227,6 @@ based on ``alpine:latest``and heavily optimized for rsync.
 
 ## Version 2.0 (EOL)
 
-Looking for version 2.0?
-
 Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0
 
 Version 2.0 uses a larger base-image (``ubuntu:latest``).<br>
@@ -161,8 +234,6 @@ Consider upgrading to 3.0 for even faster deployments.
 
 ## Version 1.0 (EOL)
 
-Looking for version 1.0?
-
 Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0
 
 Please note that version 1.0 has reached end of life state.
@@ -176,32 +247,29 @@ Please note that version 1.0 has reached end of life state.
 
 ---
 
-## Media
+## Media & Pingback
 
 This action was featured in multiple blogs across the globe:
 
-- https://leobrack.co.uk/blog/2020-02-15-automatically-push-changes-to-your-live-site-with-github-actions
+> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
 
-- https://blog.maniak.co/ci-cd-for-wordpress/
+- https://hosting.xyz/wiki/hosting/other/github-actions/
+
+- https://www.alexander-palm.de/2025/07/22/sichere-rsync-deployments-mit-github-actions-und-rrsync/
+
+- https://lab.uberspace.de/howto_automatic-deployment/
+
+- https://blog.devops.dev/setting-up-an-ubuntu-instance-for-nodejs-apps-in-ovh-cloud-using-nginx-pm2-github-actions-7618c768d081
 
 - https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
 
 - https://www.vektor-inc.co.jp/post/github-actions-deploy/
 
-- https://ews.ink/tech/blog-deploy-2/
-
 - https://webpick.info/automatiser-avec-github-actions/
 
 - https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
 
-- https://mikael.koutero.me/posts/hugo-github-actions-deploy-rsync/
-
-- https://cdmana.com/2021/02/20210208122400688I.html
-
 - https://jishuin.proginn.com/p/763bfbd38928
 
 - https://cloud.tencent.com/developer/article/1786522
 
-- http://www.ningco.cn/github_action_deploy_blog/
-
-- https://qdmana.com/2021/01/20210127094413405u.html

SECURITY.md

@@ -4,14 +4,18 @@
 
 The following versions are currently being supported with security updates:
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.0   | :white_check_mark: |
-| 4.1   | :white_check_mark: |
-| 4.0   | :white_check_mark: |
-| 3.0   | :white_check_mark: |
-| 2.0   | :x:                |
-| 1.0   | :x:                |
+| Version | Supported          | Rsync version          |
+| ------- | ------------------ | ------------------ |
+| 7.1.0  | :white_check_mark: | >= 3.4.1 |
+| 7.0.2   | :white_check_mark: | >= 3.4.0 |
+| 7.0.1   | :warning: DEPRECATED | < 3.4.0 |
+| 7.0.0   | :warning: DEPRECATED | < 3.4.0|
+| 6.x   | :x: EOL |< 3.4.0|
+| 5.x   | :x: EOL |< 3.4.0|
+| 4.x   | :x: EOL |< 3.4.0|
+| 3.0   | :x: EOL |< 3.4.0|
+| 2.0   | :x: EOL               |< 3.4.0|
+| 1.0   | :x: EOL               |< 3.4.0|
 
 ## Reporting a Vulnerability
 

action.yml

@@ -9,6 +9,10 @@ inputs:
     description: 'The remote shell argument'
     required: false
     default: ''
+  legacy_allow_rsa_hostkeys:
+    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
+    required: false
+    default: 'false'
   path:
     description: 'The local path'
     required: false

entrypoint.sh

@@ -1,5 +1,10 @@
 #!/bin/sh
 
+if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
+    echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
+    exit 1
+fi
+
 # Start the SSH agent and load key.
 source agent-start "$GITHUB_ACTION"
 echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
@@ -8,8 +13,11 @@ echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
 set -eu
 
 # Variables.
+LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
+
 SWITCHES="$INPUT_SWITCHES"
-RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
+RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
 LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
 DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"
 

test/entrypoint.bats

@@ -0,0 +1,65 @@
+#!/usr/bin/env bats
+
+setup() {
+    # Create a dummy ssh agent and agent-add for sourcing
+    echo 'echo "agent started"' > agent-start
+    echo 'echo "key added"' > agent-add
+    chmod +x agent-start agent-add
+
+    # Create a dummy rsync to capture its arguments
+    echo 'echo "rsync $@"' > rsync
+    chmod +x rsync
+
+    PATH="$PWD:$PATH"
+}
+
+teardown() {
+    rm -f agent-start agent-add rsync
+}
+
+@test "fails if INPUT_REMOTE_PATH is empty" {
+    export INPUT_REMOTE_PATH=" "
+    run ./entrypoint.sh
+    [ "$status" -eq 1 ]
+    [[ "${output}" == *"can not be empty"* ]]
+}
+
+@test "includes legacy RSA switches when allowed" {
+    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="true"
+    export INPUT_REMOTE_PATH="remote/"
+    export INPUT_REMOTE_KEY="dummy"
+    export INPUT_REMOTE_KEY_PASS="dummy"
+    export GITHUB_ACTION="dummy"
+    export INPUT_SWITCHES="-avz"
+    export INPUT_REMOTE_PORT="22"
+    export INPUT_RSH=""
+    export INPUT_PATH=""
+    export INPUT_REMOTE_USER="user"
+    export INPUT_REMOTE_HOST="host"
+    export GITHUB_WORKSPACE="/tmp"
+    export DSN="user@host"
+    export LOCAL_PATH="/tmp/"
+
+    run ./entrypoint.sh
+    [[ "${output}" == *"HostKeyAlgorithms=+ssh-rsa"* ]]
+}
+
+@test "does not include legacy RSA switches when not allowed" {
+    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
+    export INPUT_REMOTE_PATH="remote/"
+    export INPUT_REMOTE_KEY="dummy"
+    export INPUT_REMOTE_KEY_PASS="dummy"
+    export GITHUB_ACTION="dummy"
+    export INPUT_SWITCHES="-avz"
+    export INPUT_REMOTE_PORT="22"
+    export INPUT_RSH=""
+    export INPUT_PATH=""
+    export INPUT_REMOTE_USER="user"
+    export INPUT_REMOTE_HOST="host"
+    export GITHUB_WORKSPACE="/tmp"
+    export DSN="user@host"
+    export LOCAL_PATH="/tmp/"
+
+    run ./entrypoint.sh
+    [[ "${output}" != *"HostKeyAlgorithms=+ssh-rsa"* ]]
+}