Merge pull request #69 from Burnett01/release/7.0.2

Release/7.0.2

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: monthly

Dockerfile

@@ -1,4 +1,9 @@
-FROM drinternet/rsync:v1.2.0
+# drinternet/rsync@v1.4.4
+FROM drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
+
+# always force-upgrade rsync to get the latest security fixes
+RUN apk update && apk add --no-cache --upgrade rsync
+RUN rm -rf /var/cache/apk/*
 
 # Copy entrypoint
 COPY entrypoint.sh /entrypoint.sh

LICENSE

@@ -1,7 +1,7 @@
 MIT License
 
-Copyright (c) 2019-2021 Contention
-Copyright (c) 2019-2021 Burnett01
+Copyright (c) 2019-2022 Contention
+Copyright (c) 2019-2024 Burnett01
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,10 +1,13 @@
 # rsync deployments
 
-This GitHub Action deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
+This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
 
 Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
 
-The underlaying base-image of the docker-image is very small (Alpine (no cache)) which results in fast deployments.
+The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.19.1 (no cache) which results in fast deployments.
+
+Alpine version: [3.19.1](https://alpinelinux.org/posts/Alpine-3.19.1-released.html)
+Rsync version: [3.4.0-r0](https://download.samba.org/pub/rsync/NEWS#3.4.0)
 
 ---
 
@@ -14,7 +17,9 @@ The underlaying base-image of the docker-image is very small (Alpine (no cache))
 
 - `rsh` - Remote shell commands
 
-- `path` - The source path. Defaults to GITHUB_WORKSPACE
+- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
+
+- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
 
 - `remote_path`* - The deployment target path
 
@@ -38,11 +43,13 @@ This action needs secret variables for the ssh private key of your key pair. The
 
 For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
 
+## Current Version: 7.0.2
+
 ## Example usage
 
 Simple:
 
-```
+```yml
 name: DEPLOY
 on:
   push:
@@ -53,9 +60,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete
         path: src/
@@ -67,14 +74,14 @@ jobs:
 
 Advanced:
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete --exclude="" --include="" --filter=""
         path: src/
@@ -87,14 +94,14 @@ jobs:
 
 For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete
         path: src/
@@ -107,14 +114,14 @@ jobs:
 
 If your private key is passphrase protected you should use:
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@5.0
+      uses: burnett01/rsync-deployments@7.0.2
       with:
         switches: -avzr --delete
         path: src/
@@ -125,11 +132,67 @@ jobs:
         remote_key: ${{ secrets.DEPLOY_KEY }}
         remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
 ```
+
 ---
 
-## Version 4.0 & 4.1
+#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
 
-Looking for version 4.0 and 4.1?
+If your remote OpenSSH Server still uses RSA hostkeys, then you have to
+manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
+
+```yml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: rsync deployments
+      uses: burnett01/rsync-deployments@7.0.2
+      with:
+        switches: -avzr --delete
+        legacy_allow_rsa_hostkeys: "true"
+        path: src/
+        remote_path: ${{ secrets.DEPLOY_PATH }}
+        remote_host: ${{ secrets.DEPLOY_HOST }}
+        remote_port: ${{ secrets.DEPLOY_PORT }}
+        remote_user: ${{ secrets.DEPLOY_USER }}
+        remote_key: ${{ secrets.DEPLOY_KEY }}
+```
+
+See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
+
+---
+
+## Version 7.0.0 & 7.0.1 (DEPRECATED)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.0  (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.19.1)
+  
+---
+
+## Version 6.0 (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/6.0  (alpine 3.17.2)
+
+---
+
+## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/5.0  (alpine 3.11.x)
+- https://github.com/Burnett01/rsync-deployments/tree/5.1  (alpine 3.14.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2  (alpine 3.15.0)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.1  (alpine 3.16.1)
+- https://github.com/Burnett01/rsync-deployments/tree/5.2.2  (alpine 3.17.2)
+
+---
+
+## Version 4.0 & 4.1 (EOL)
 
 Check here: 
 
@@ -140,9 +203,7 @@ Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image.
 
 ---
 
-## Version 3.0
-
-Looking for version 3.0?
+## Version 3.0 (EOL)
 
 Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0
 
@@ -152,8 +213,6 @@ based on ``alpine:latest``and heavily optimized for rsync.
 
 ## Version 2.0 (EOL)
 
-Looking for version 2.0?
-
 Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0
 
 Version 2.0 uses a larger base-image (``ubuntu:latest``).<br>
@@ -161,8 +220,6 @@ Consider upgrading to 3.0 for even faster deployments.
 
 ## Version 1.0 (EOL)
 
-Looking for version 1.0?
-
 Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0
 
 Please note that version 1.0 has reached end of life state.
@@ -180,28 +237,17 @@ Please note that version 1.0 has reached end of life state.
 
 This action was featured in multiple blogs across the globe:
 
-- https://leobrack.co.uk/blog/2020-02-15-automatically-push-changes-to-your-live-site-with-github-actions
-
-- https://blog.maniak.co/ci-cd-for-wordpress/
+> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
 
 - https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
 
 - https://www.vektor-inc.co.jp/post/github-actions-deploy/
 
-- https://ews.ink/tech/blog-deploy-2/
-
 - https://webpick.info/automatiser-avec-github-actions/
 
 - https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
 
-- https://mikael.koutero.me/posts/hugo-github-actions-deploy-rsync/
-
-- https://cdmana.com/2021/02/20210208122400688I.html
-
 - https://jishuin.proginn.com/p/763bfbd38928
 
 - https://cloud.tencent.com/developer/article/1786522
 
-- http://www.ningco.cn/github_action_deploy_blog/
-
-- https://qdmana.com/2021/01/20210127094413405u.html

SECURITY.md

@@ -4,14 +4,17 @@
 
 The following versions are currently being supported with security updates:
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.0   | :white_check_mark: |
-| 4.1   | :white_check_mark: |
-| 4.0   | :white_check_mark: |
-| 3.0   | :white_check_mark: |
-| 2.0   | :x:                |
-| 1.0   | :x:                |
+| Version | Supported          | Rsync version          |
+| ------- | ------------------ | ------------------ |
+| 7.0.2   | :white_check_mark: | >= 3.4.0 |
+| 7.0.1   | :warning: DEPRECATED | < 3.4.0 |
+| 7.0.0   | :warning: DEPRECATED | < 3.4.0|
+| 6.x   | :x: EOL |< 3.4.0|
+| 5.x   | :x: EOL |< 3.4.0|
+| 4.x   | :x: EOL |< 3.4.0|
+| 3.0   | :x: EOL |< 3.4.0|
+| 2.0   | :x: EOL               |< 3.4.0|
+| 1.0   | :x: EOL               |< 3.4.0|
 
 ## Reporting a Vulnerability
 

action.yml

@@ -9,6 +9,10 @@ inputs:
     description: 'The remote shell argument'
     required: false
     default: ''
+  legacy_allow_rsa_hostkeys:
+    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
+    required: false
+    default: 'false'
   path:
     description: 'The local path'
     required: false

entrypoint.sh

@@ -1,5 +1,10 @@
 #!/bin/sh
 
+if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
+    echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
+    exit 1
+fi
+
 # Start the SSH agent and load key.
 source agent-start "$GITHUB_ACTION"
 echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
@@ -8,8 +13,11 @@ echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
 set -eu
 
 # Variables.
+LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
+
 SWITCHES="$INPUT_SWITCHES"
-RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
+RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
 LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
 DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"