Hostux/github.com_burnett01_rsync-deployments
1
0
Fork 1
mirror of https://github.com/Burnett01/rsync-deployments.git synced 2025-04-04 06:21:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: Hostux:5.2.2
Branches Tags
Hostux:master
Hostux:release/7.0.2
Hostux:drinternet-rsync-merge
Hostux:non-release/8.0.0
Hostux:release/7.0.1
Hostux:release/7.0.0
Hostux:release/6.0.0
Hostux:release/5.2.1
Hostux:release/5.3
Hostux:7.0.2
Hostux:7.0.1
Hostux:7.0.0
Hostux:6.0.0
Hostux:5.2.2
Hostux:5.2.1
Hostux:5.2
Hostux:5.1
Hostux:5.0
Hostux:4.1
Hostux:4.0
Hostux:3.0
Hostux:2.0
Hostux:1.0
...
compare: Hostux:master
Branches Tags
Hostux:master
Hostux:release/7.0.2
Hostux:drinternet-rsync-merge
Hostux:non-release/8.0.0
Hostux:release/7.0.1
Hostux:release/7.0.0
Hostux:release/6.0.0
Hostux:release/5.2.1
Hostux:release/5.3
Hostux:7.0.2
Hostux:7.0.1
Hostux:7.0.0
Hostux:6.0.0
Hostux:5.2.2
Hostux:5.2.1
Hostux:5.2
Hostux:5.1
Hostux:5.0
Hostux:4.1
Hostux:4.0
Hostux:3.0
Hostux:2.0
Hostux:1.0

30 commits
5.2.2 ... master

Author SHA1 Message Date
Steven Agyekum
22a7777152
Merge pull request #69 from Burnett01/release/7.0.2 
Release/7.0.2
 2025-01-19 15:36:00 +01:00
Steven Agyekum
3cccb68511
Update SECURITY.md 2025-01-19 15:32:42 +01:00
Steven Agyekum
e642759b84
new version 7.0.2 (with rsync 3.4.0), deprecate old versions, remove dead links 
The latest rsync version 3.4.0 fixes a wide variety of CVE's:

CVE-2024-12084 -⁠ Heap Buffer Overflow in Checksum Parsing.

CVE-2024-12085 -⁠ Info Leak via uninitialized Stack contents defeats ASLR.

CVE-2024-12086 -⁠ Server leaks arbitrary client files.

CVE-2024-12087 -⁠ Server can make client write files outside of destination directory using symbolic links.

CVE-2024-12088 -⁠ -⁠-⁠safe-⁠links Bypass.

CVE-2024-12747 -⁠ symlink race condition.

See their press release: https://download.samba.org/pub/rsync/NEWS#3.4.0

The latest action version 7.0.2 is using rsync 3.4.0, so please use that.
 2025-01-19 15:29:07 +01:00
Steven Agyekum
76404482ea
always force-upgrade rsync to get the latest security upgrades 2025-01-19 15:19:29 +01:00
Steven Agyekum
d19dd4a0be
Merge pull request #68 from ilyabrin/patch-1 
Update README.md
 2024-09-22 11:35:23 +02:00
Ilya Brin
f825a1ed74
Update README.md 
added syntax highlighting
 2024-09-14 14:32:58 +03:00
Steven Agyekum
796cf0d5e4
Merge pull request #61 from Burnett01/release/7.0.1 
- Pin @JoshPiper [drinternet/rsync](https://github.com/JoshPiper/rsync-docker) image by SHA-256 hash rather than version.  (Immutability)
Added via #60 

The docker image of this action is now pinned to the specific SHA-256 hash of the version rather than just the version.
This means for the latest `drinternet/rsync:v1.4.4` the corresponding hash is `drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234`

Check for validation: https://hub.docker.com/layers/drinternet/rsync/v1.4.4/images/sha256-15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234

With that, usage of this action is even more secure due to a consistent dependency chain of trust,
since changes accompanied by a docker image hash are immutable.

Thanks to @XComp
 2024-03-31 18:11:10 +02:00
Steven Agyekum
b2bc75ad2c
Merge pull request #60 from XComp/use-hash-instead-of-version-tag 
Use SHA instead of Docker version tag for base image to allow for consistent code execution.
 2024-03-31 17:50:56 +02:00
Steven Agyekum
93c0d7acae
upd: mention version 7.0.1 2024-03-30 10:49:50 +01:00
Steven Agyekum
13aa4f9f57
update year to 2024 2024-03-30 10:46:13 +01:00
Matthias Pohl
b16614048b
Use SHA instead of Docker version tag for base image to allow for consistent code execution. 2024-03-28 17:53:03 +01:00
Steven Agyekum
e1c5b900e9
Merge pull request #59 from Burnett01/release/7.0.0 
Release/7.0.0
 2024-03-06 15:06:24 +01:00
Steven Agyekum
93f02b856f
chore: adjust readme for release 7.0.0 2024-03-06 15:04:26 +01:00
Steven Agyekum
21c0e5a9d9
chore: mention latest Alpine 3.19.1 2024-03-06 14:33:58 +01:00
Steven Agyekum
c88a1dbded
chore: adjust for EOL, DEPRECATION and MAINTENANCE 2024-03-06 14:33:02 +01:00
Steven Agyekum
b9a68ac619
chore!: Versions 4.x EOL, 5.x DEPRECATED, 6.x MAINTENANCE 
- All versions 4.x are now EOL and no longer maintained
- All versions 5.x are now DEPRECATED and will become EOL within Q2 2024
- All versions  6.x are now MAINTENANCE and will become DEPRECATED within Q4 2024
 2024-03-06 12:35:07 +01:00
Steven Agyekum
f479c97783
chore: mention new legacy_allow_rsa_hostkeys option 2024-03-06 12:29:40 +01:00
Steven Agyekum
008719532f
feat: configuarable legacy RSA hostkeys support 
Ability to configure legacy rsa hostkeys support for
OpenSSH servers < 8.8.
Related to #24 and  9603fc8
 2024-03-06 12:20:39 +01:00
Steven Agyekum
9603fc8186
feat: Make usage of legacy rsa hostkeys conditional 
The usage of RSA host keys introduced with c7baefdc23 
was adjusted to make it conditional/configurable and to keep
backward compatibility
 2024-03-06 12:16:35 +01:00
Steven Agyekum
580c98fc2e
Merge pull request #58 from Burnett01/release/5.3 
Backmerge unofficial release/5.3 into new upcoming rlease/7.0.0
 2024-03-06 12:04:45 +01:00
Steven Agyekum
ee287eb1f0
feat: Update base image to latest 1.4.4 (apline 3.19.1) 2024-03-06 11:58:08 +01:00
Steven Agyekum
c04732dab2
added v6 as new major 2023-06-08 18:05:17 +02:00
Steven Agyekum
fb06973f0e
Merge pull request #45 from Burnett01/release/6.0.0 
Release/6.0.0
 2023-06-08 17:54:57 +02:00
Steven Agyekum
45d84ad5f6
New version 6.0.0 
- It is no longer possible to use an empty string as remote_path (Fixes #44) (Thanks to @maximilliangeorge)
- Updated checkout action in examples from v2 to v3
- Added disclaimer to media site-links
- Overall readme improvements
 2023-06-08 17:54:10 +02:00
Steven Agyekum
d732b39732
improved string empty check for remote_path 2023-06-08 17:35:29 +02:00
Steven Agyekum
570fd6bb52
fix empty string check 2023-06-08 17:27:31 +02:00
Steven Agyekum
bef106d127
validate remote_path is not empty 2023-06-08 17:23:41 +02:00
Steven Agyekum
d987a9a536
Merge pull request #32 from Burnett01/dependabot/docker/drinternet/rsync-v1.4.1 
Bump drinternet/rsync from v1.4.0 to v1.4.1
 2022-08-01 17:31:49 +02:00
Steven Agyekum
a078b62820
Merge pull request #24 from jasongill/patch-1 
Re-allow RSA host keys with SSH
 2022-03-24 19:06:39 +01:00
Jason Gill
c7baefdc23
Allow RSA host keys 
RSA host keys are disabled by default on OpenSSH 8.8+ which is used by the base Alpine image, but many servers still use RSA host keys
 2022-03-02 12:29:53 -05:00
6 changed files with 101 additions and 39 deletions
Show stats Expand all files Collapse all files

7
Dockerfile
View file

@ -1,4 +1,9 @@
FROM drinternet/rsync:v1.4.3
# drinternet/rsync@v1.4.4
FROM drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234
# always force-upgrade rsync to get the latest security fixes
RUN apk update && apk add --no-cache --upgrade rsync
RUN rm -rf /var/cache/apk/*
# Copy entrypoint
COPY entrypoint.sh /entrypoint.sh

2
LICENSE
View file

@ -1,7 +1,7 @@
MIT License
Copyright (c) 2019-2022 Contention
Copyright (c) 2019-2022 Burnett01
Copyright (c) 2019-2024 Burnett01
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

98
README.md
View file

@ -4,7 +4,10 @@ This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folde
Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
The base-image (drinternet/rsync) of this action is very small and is based on Alpine 3.17.2 (no cache) which results in fast deployments.
The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.19.1 (no cache) which results in fast deployments.
Alpine version: [3.19.1](https://alpinelinux.org/posts/Alpine-3.19.1-released.html)
Rsync version: [3.4.0-r0](https://download.samba.org/pub/rsync/NEWS#3.4.0)
---
@ -14,6 +17,8 @@ The base-image (drinternet/rsync) of this action is very small and is based on A
- `rsh` - Remote shell commands
- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
- `remote_path`* - The deployment target path
@ -38,11 +43,13 @@ This action needs secret variables for the ssh private key of your key pair. The
For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
## Current Version: 7.0.2
## Example usage
Simple:
```
```yml
name: DEPLOY
on:
push:
@ -53,9 +60,9 @@ jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@5.2.2
uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete
path: src/
@ -67,14 +74,14 @@ jobs:
Advanced:
```
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@5.2.2
uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete --exclude="" --include="" --filter=""
path: src/
@ -87,14 +94,14 @@ jobs:
For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
```
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@5.2.2
uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete
path: src/
@ -107,14 +114,14 @@ jobs:
If your private key is passphrase protected you should use:
```
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@5.2.2
uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete
path: src/
@ -125,9 +132,55 @@ jobs:
remote_key: ${{ secrets.DEPLOY_KEY }}
remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
```
---
## Version 5.0, 5.1 & 5.2
#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
If your remote OpenSSH Server still uses RSA hostkeys, then you have to
manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@7.0.2
with:
switches: -avzr --delete
legacy_allow_rsa_hostkeys: "true"
path: src/
remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
```
See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
---
## Version 7.0.0 & 7.0.1 (DEPRECATED)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/7.0.0 (alpine 3.19.1)
- https://github.com/Burnett01/rsync-deployments/tree/7.0.1 (alpine 3.19.1)
---
## Version 6.0 (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/6.0 (alpine 3.17.2)
---
## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
Check here:
@ -136,10 +189,10 @@ Check here:
- https://github.com/Burnett01/rsync-deployments/tree/5.2 (alpine 3.15.0)
- https://github.com/Burnett01/rsync-deployments/tree/5.2.1 (alpine 3.16.1)
- https://github.com/Burnett01/rsync-deployments/tree/5.2.2 (alpine 3.17.2)
-
---
## Version 4.0 & 4.1
## Version 4.0 & 4.1 (EOL)
Check here:
@ -184,28 +237,17 @@ Please note that version 1.0 has reached end of life state.
This action was featured in multiple blogs across the globe:
- https://leobrack.co.uk/blog/2020-02-15-automatically-push-changes-to-your-live-site-with-github-actions
- https://blog.maniak.co/ci-cd-for-wordpress/
> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
- https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
- https://www.vektor-inc.co.jp/post/github-actions-deploy/
- https://ews.ink/tech/blog-deploy-2/
- https://webpick.info/automatiser-avec-github-actions/
- https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
- https://mikael.koutero.me/posts/hugo-github-actions-deploy-rsync/
- https://cdmana.com/2021/02/20210208122400688I.html
- https://jishuin.proginn.com/p/763bfbd38928
- https://cloud.tencent.com/developer/article/1786522
- http://www.ningco.cn/github_action_deploy_blog/
- https://qdmana.com/2021/01/20210127094413405u.html

19
SECURITY.md
View file

@ -4,14 +4,17 @@
The following versions are currently being supported with security updates:
| Version | Supported |
| ------- | ------------------ |
| 5.x | :white_check_mark: |
| 4.1 | :white_check_mark: |
| 4.0 | :white_check_mark: |
| 3.0 | :x: |
| 2.0 | :x: |
| 1.0 | :x: |
| Version | Supported | Rsync version |
| ------- | ------------------ | ------------------ |
| 7.0.2 | :white_check_mark: | >= 3.4.0 |
| 7.0.1 | :warning: DEPRECATED | < 3.4.0 |
| 7.0.0 | :warning: DEPRECATED | < 3.4.0|
| 6.x | :x: EOL |< 3.4.0|
| 5.x | :x: EOL |< 3.4.0|
| 4.x | :x: EOL |< 3.4.0|
| 3.0 | :x: EOL |< 3.4.0|
| 2.0 | :x: EOL |< 3.4.0|
| 1.0 | :x: EOL |< 3.4.0|
## Reporting a Vulnerability

4
action.yml
View file

@ -9,6 +9,10 @@ inputs:
description: 'The remote shell argument'
required: false
default: ''
legacy_allow_rsa_hostkeys:
description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
required: false
default: 'false'
path:
description: 'The local path'
required: false

10
entrypoint.sh
View file

@ -1,5 +1,10 @@
#!/bin/sh
if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
exit 1
fi
# Start the SSH agent and load key.
source agent-start "$GITHUB_ACTION"
echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
@ -8,8 +13,11 @@ echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
set -eu
# Variables.
LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
LEGACY_RSA_HOSTKEYS=$([ "$INPUT_LEGACY_ALLOW_RSA_HOSTKEYS" = "true" ] && echo "$LEGACY_RSA_HOSTKEYS" || echo "")
SWITCHES="$INPUT_SWITCHES"
RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
RSH="ssh -o StrictHostKeyChecking=no $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"