chore: add deprecation notice, move release channels to top

- advise users to always use secrets
- simplified examples
- other adjustments

.dockerignore

@@ -0,0 +1,5 @@
+Dockerfile
+LICENSE
+*.md
+.git*
+.github*

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+tab_width = 4
+indent_size = 4
+indent_style = space
+max_line_length = 9999
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{yml,yaml}]
+tab_width = 2
+indent_size = 2

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,33 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Action version**
+eg. 7.0.1
+
+**Runner OS+Version**
+eg. ubuntu-latest
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+Add any other context about the problem here.

.github/workflows/ci-validating-linting-testing.yml

@@ -0,0 +1,165 @@
+# GitHub Actions CI workflow for rsync-deployments
+# This workflow validates the action on every push and pull request by:
+# - Running BATS tests for the entrypoint script
+# - Validating the action.yml definition
+# - Building and testing the Docker image
+# - Checking file structure and permissions
+# - Linting shell scripts
+# - Running a final integration check
+
+name: CI - Validating, Linting, Testing
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    name: Test BATS Suite
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install BATS
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y bats
+
+    - name: Run BATS tests
+      run: bats test/entrypoint.bats
+
+  validate-action:
+    runs-on: ubuntu-latest
+    name: Validate Action Definition
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Validate action.yml
+      run: |
+        # Check if action.yml exists and has required fields
+        if [ ! -f "action.yml" ]; then
+          echo "Error: action.yml not found"
+          exit 1
+        fi
+        
+        # Basic validation that action.yml contains required fields
+        python3 -c "
+        import yaml
+        import sys
+        
+        with open('action.yml', 'r') as f:
+            action = yaml.safe_load(f)
+        
+        required_fields = ['name', 'description', 'inputs', 'runs']
+        for field in required_fields:
+            if field not in action:
+                print(f'Missing required field: {field}')
+                sys.exit(1)
+        
+        # Check required inputs exist
+        required_inputs = ['switches', 'remote_path', 'remote_host', 'remote_user', 'remote_key']
+        for input_name in required_inputs:
+            if input_name not in action['inputs']:
+                print(f'Missing required input: {input_name}')
+                sys.exit(1)
+            if not action['inputs'][input_name].get('required', False):
+                print(f'Input {input_name} should be marked as required')
+                sys.exit(1)
+        
+        print('Action definition is valid')
+        "
+
+  docker-build:
+    runs-on: ubuntu-latest
+    name: Build Docker Image
+    needs: [validate-action, action-structure]
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker image
+      run: |
+        echo "Building Docker image..."
+        docker build -t rsync-deployments . --no-cache
+        echo "Docker image built successfully"
+
+  action-structure:
+    runs-on: ubuntu-latest
+    name: Validate Action Structure
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Check required files
+      run: |
+        echo "Checking required files exist..."
+        
+        # Check all required files exist
+        required_files=("action.yml" "Dockerfile" "entrypoint.sh")
+        for file in "${required_files[@]}"; do
+          if [ ! -f "$file" ]; then
+            echo "Error: Required file $file not found"
+            exit 1
+          fi
+          echo "✓ $file exists"
+        done
+        
+        # Check entrypoint is executable
+        if [ ! -x "entrypoint.sh" ]; then
+          echo "Error: entrypoint.sh is not executable"
+          exit 1
+        fi
+        echo "✓ entrypoint.sh is executable"
+        
+        # Check basic script syntax
+        bash -n entrypoint.sh
+        echo "✓ entrypoint.sh has valid syntax"
+        
+        echo "All structure checks passed!"
+
+  lint-shell:
+    runs-on: ubuntu-latest
+    name: Lint Shell Scripts
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install ShellCheck
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y shellcheck
+
+    - name: Lint entrypoint.sh
+      run: |
+        echo "Linting shell scripts..."
+        # Run shellcheck with exclusions for Docker-specific dependencies
+        shellcheck -e SC1091 -e SC3046 entrypoint.sh || {
+          echo "ShellCheck found issues, but running with Docker-specific exclusions..."
+          shellcheck -e SC1091 -e SC3046 entrypoint.sh
+        }
+        echo "Shell script linting completed"
+
+  integration-check:
+    runs-on: ubuntu-latest
+    name: Integration Check
+    needs: [test, validate-action, docker-build, action-structure, lint-shell]
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Final integration check
+      run: |
+        echo "All CI jobs completed successfully!"
+        echo "✅ BATS tests passed"
+        echo "✅ Action definition validated"
+        echo "✅ Docker image built and tested"
+        echo "✅ File structure validated"
+        echo "✅ Shell scripts linted"
+        echo ""
+        echo "🎉 rsync-deployments action is ready for use!"

.github/workflows/snyk-docker-vulnerability-scan.yml

@@ -0,0 +1,41 @@
+name: Snyk Docker Vulnerability Scan
+
+on:
+  push:
+    branches: [ "master" ]
+  pull_request:
+    branches: [ "master" ]
+  schedule:
+    - cron: '39 13 * * 4'
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build a Docker image
+      run: docker build -t burnett01/rsync-deployments .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: burnett01/rsync-deployments
+        args: --file=Dockerfile
+    - name: Output sarif file
+      run: cat snyk.sarif
+    - name: fix security-severity "null" to "0" for valid sarif format
+      run: |
+        sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v4
+      with:
+        sarif_file: snyk.sarif

Dockerfile

@@ -1,6 +1,14 @@
-FROM drinternet/rsync:v1.4.3
+FROM alpine:3.23.0@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 AS base
+
+RUN apk update && apk add --no-cache --upgrade rsync openssh openssl busybox
+
+RUN rm -rf /var/cache/apk/*
+
+COPY docker-rsync/* /bin/
+RUN chmod +x /bin/agent-* /bin/ssh-* /bin/hosts-*
+
+FROM base AS build
 
-# Copy entrypoint
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 

LICENSE

@@ -1,7 +1,8 @@
 MIT License
 
 Copyright (c) 2019-2022 Contention
-Copyright (c) 2019-2022 Burnett01
+Copyright (c) 2019-2025 Joshua Piper (Dr Internet)
+Copyright (c) 2019-2025 Burnett01
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,19 +1,71 @@
 # rsync deployments
 
-This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
+[![CI - Validating, Linting, Testing](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml) 
+[![Snyk Docker Vulnerability Scan](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml) 
+[![CodeQL](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql) 
+[![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates)
 
-Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
 
-The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.17.2 (no cache) which results in fast deployments.
+This cross-platform GitHub Action deploys files in [`path`](#inputs) (relative to  `GITHUB_WORKSPACE`) to a remote folder via rsync over ssh. 
+
+Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`, such [actions/checkout](https://github.com/actions/checkout).
+
+The base-image of this action is very small and based on **Alpine 3.23.0** (no cache) which results in fast deployments.
+
+Alpine version: [3.23.0](https://www.alpinelinux.org/posts/Alpine-3.23.0-released.html)
+Rsync version: [3.4.1-r1](https://download.samba.org/pub/rsync/NEWS#3.4.1)
+
+## Current Version: v8 (8.0.2)
+
+### Release channels:
+
+| Version | Purpose          | Immutable  | 
+| ------- | ------------------ | ------------------ | 
+| ``v8`` (recommended)  |  latest MAJOR (pointer to 8.MINOR.PATCH) | no |
+| 8.0.2  | latest MINOR+PATCH | yes |
+| 7.1.0   | previous release ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) | yes |
+
+Check [SECURITY.md](SECURITY.md) for support cycles.
 
 ---
 
+## How it works
+
+```yml
+name: DEPLOY
+on:
+  push:
+    branches:
+    - master
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+    - name: rsync deployments
+      uses: burnett01/rsync-deployments@v8
+      with:
+        switches: -avzr --delete
+        path: src/
+        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
+        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
+        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
+        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
+        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
+```
+
 ## Inputs
 
+- `debug`* - Whether to enable debug output. ("true" / "false") - Default: "false"
+
 - `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete`
 
 - `rsh` - Remote shell commands
 
+- `strict_hostkeys_checking` - Enables support for strict hostkeys (fingerprint) checking. ("true" / "false") - Default: "false"
+
+- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false") - Default: "false"
+
 - `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
 
 - `remote_path`* - The deployment target path
@@ -24,9 +76,9 @@ The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of
 
 - `remote_user`* - The remote user
 
-- `remote_key`* - The remote ssh key
+- `remote_key`* - The remote ssh private key
 
-- `remote_key_pass` - The remote ssh key passphrase (if any)
+- `remote_key_pass` - The remote ssh private key passphrase (if any)
 
 ``* = Required``
 
@@ -36,13 +88,15 @@ This action needs secret variables for the ssh private key of your key pair. The
 
 > Always use secrets when dealing with sensitive inputs!
 
-For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
+For simplicity, we are using `REMOTE_*` as the secret variables throughout the examples.
 
 ## Example usage
 
+For better **security** always use secrets for remote_host, remote_port, remote_user and remote_path inputs.
+
 Simple:
 
-```
+```yml
 name: DEPLOY
 on:
   push:
@@ -53,81 +107,223 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@6.0.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete
         path: src/
-        remote_path: /var/www/html/
+        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
-        remote_host: example.com
+        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
-        remote_user: debian
+        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
-        remote_key: ${{ secrets.DEPLOY_KEY }}
+        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
+        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
 ```
 
-Advanced:
+Advanced (with filters etc):
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@6.0.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete --exclude="" --include="" --filter=""
         path: src/
-        remote_path: /var/www/html/
+        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
-        remote_host: example.com
+        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
-        remote_port: 5555
+        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
-        remote_user: debian
+        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
-        remote_key: ${{ secrets.DEPLOY_KEY }}
+        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
-```
-
-For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
-
-```
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: rsync deployments
-      uses: burnett01/rsync-deployments@6.0.0
-      with:
-        switches: -avzr --delete
-        path: src/
-        remote_path: ${{ secrets.DEPLOY_PATH }}
-        remote_host: ${{ secrets.DEPLOY_HOST }}
-        remote_port: ${{ secrets.DEPLOY_PORT }}
-        remote_user: ${{ secrets.DEPLOY_USER }}
-        remote_key: ${{ secrets.DEPLOY_KEY }}
 ```
 
 If your private key is passphrase protected you should use:
 
-```
+```yml
 jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@6.0.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete
         path: src/
-        remote_path: ${{ secrets.DEPLOY_PATH }}
+        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
-        remote_host: ${{ secrets.DEPLOY_HOST }}
+        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
-        remote_port: ${{ secrets.DEPLOY_PORT }}
+        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
-        remote_user: ${{ secrets.DEPLOY_USER }}
+        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
-        remote_key: ${{ secrets.DEPLOY_KEY }}
+        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
-        remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
+        remote_key_pass: ${{ secrets.REMOTE_PRIVATE_KEY_PASS }}
 ```
+
 ---
 
-## Version 5.0, 5.1 & 5.2
+#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
+
+If your remote OpenSSH Server still uses RSA hostkeys, then you have to
+manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
+
+```yml
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v6
+    - name: rsync deployments
+      uses: burnett01/rsync-deployments@v8
+      with:
+        switches: -avzr --delete
+        legacy_allow_rsa_hostkeys: "true"
+        path: src/
+        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
+        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
+        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
+        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
+        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
+```
+
+See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
+
+**Note:** Only use this if necessary. It's recommended to upgrade your remote OpenSSH server instead.
+
+--
+
+## Advanced Rsync switches/flags/options
+
+For advanced rsync configuration options and switches, refer to the [rsync manual](https://linux.die.net/man/1/rsync).
+
+---
+
+## Troubleshooting
+
+### SSH Permission Denied Errors
+
+If you encounter "Permission denied (publickey,password)" errors, here are the most common solutions:
+
+#### 1. SSH Key Setup
+
+Ensure your SSH key pair is correctly generated and configured:
+
+```bash
+# Generate a new SSH key pair (recommended: Ed25519 or RSA 4096-bit)
+ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
+# OR for RSA:
+ssh-keygen -t rsa -b 4096 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
+```
+
+**Important Steps:**
+- Add the **public key** (`.pub` file) to your server's `~/.ssh/authorized_keys`
+- Add the **private key** (without `.pub` extension) to GitHub Secrets as `REMOTE_PRIVATE_KEY`
+- Ensure correct file permissions on your server:
+  ```bash
+  chmod 700 ~/.ssh
+  chmod 600 ~/.ssh/authorized_keys
+  ```
+
+For detailed information on creating and managing SSH keys, see [GitHub's SSH Key Guide](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent).
+
+#### 2. ``remote_path`` permissions
+
+Make sure the ``remote_user`` has write access to ``remote_path``.
+
+See: https://github.com/Burnett01/rsync-deployments/issues/81#issuecomment-3308152891
+
+#### 3. Firewall / GitHub Actions IP Restrictions
+
+If your remote server has firewall restrictions:
+
+- **Option A:** Whitelist [GitHub Actions IP ranges](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#ip-addresses) (Azure-based)
+- **Option B:** Use self-hosted runners on your server (recommended for strict firewall environments)
+
+### Excluding files/folders (eg .git) 
+
+By default, rsync copies dot files and folder if present at ``path:``. To exclude them, you can use the ``--exclude`` switch:
+
+```yml
+switches: -avzr --delete --exclude='.git/'
+```
+
+Other common exclusions:
+```yml
+switches: -avzr --delete --exclude='.git/' --exclude='node_modules/' --exclude='.env'
+```
+
+More advanced examples:
+
+- https://github.com/Burnett01/rsync-deployments/issues/5#issuecomment-667589874
+- https://github.com/Burnett01/rsync-deployments/issues/16
+- https://github.com/Burnett01/rsync-deployments/issues/71
+- https://github.com/Burnett01/rsync-deployments/issues/52
+
+### Missing rsync on Remote Host
+
+If the action fails with "rsync: command not found" or similar errors, rsync is not installed on your remote server. Install it using your system's package manager:
+
+**Ubuntu/Debian:**
+```bash
+sudo apt-get update && sudo apt-get install rsync
+```
+
+**CentOS/RHEL/Rocky/AlmaLinux:**
+```bash
+sudo yum install rsync
+# OR on newer versions:
+sudo dnf install rsync
+```
+
+**Alpine Linux:**
+```bash
+sudo apk add rsync
+```
+
+---
+
+## Versions
+
+## Version 8.0.0 (EOL due to regression -> fixed via 8.0.1 & 8.0.2)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/8.0.0  (alpine 3.23.0)
+
+## Version 7.1.0
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.1.0  (alpine 3.22.1)
+  
+
+## Version 7.0.2 (DEPRECATED)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.2  (alpine 3.22.1)
+  
+---
+
+## Version 7.0.0 & 7.0.1 (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.0  (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.22.1)
+  
+---
+
+## Version 6.0 (EOL)
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/6.0  (alpine 3.17.2)
+
+---
+
+## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
 
 Check here: 
 
@@ -136,10 +332,10 @@ Check here:
 - https://github.com/Burnett01/rsync-deployments/tree/5.2  (alpine 3.15.0)
 - https://github.com/Burnett01/rsync-deployments/tree/5.2.1  (alpine 3.16.1)
 - https://github.com/Burnett01/rsync-deployments/tree/5.2.2  (alpine 3.17.2)
-- 
+
 ---
 
-## Version 4.0 & 4.1
+## Version 4.0 & 4.1 (EOL)
 
 Check here: 
 
@@ -176,38 +372,33 @@ Please note that version 1.0 has reached end of life state.
 ## Acknowledgements
 
 + This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
-+ Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
++ docker-rsync [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
 
 ---
 
-## Media
+## Media & Pingback
 
 This action was featured in multiple blogs across the globe:
 
 > Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
 
-- https://leobrack.co.uk/blog/2020-02-15-automatically-push-changes-to-your-live-site-with-github-actions
+- https://hosting.xyz/wiki/hosting/other/github-actions/
 
-- https://blog.maniak.co/ci-cd-for-wordpress/
+- https://www.alexander-palm.de/2025/07/22/sichere-rsync-deployments-mit-github-actions-und-rrsync/
+
+- https://lab.uberspace.de/howto_automatic-deployment/
+
+- https://blog.devops.dev/setting-up-an-ubuntu-instance-for-nodejs-apps-in-ovh-cloud-using-nginx-pm2-github-actions-7618c768d081
 
 - https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
 
 - https://www.vektor-inc.co.jp/post/github-actions-deploy/
 
-- https://ews.ink/tech/blog-deploy-2/
-
 - https://webpick.info/automatiser-avec-github-actions/
 
 - https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
 
-- https://mikael.koutero.me/posts/hugo-github-actions-deploy-rsync/
-
-- https://cdmana.com/2021/02/20210208122400688I.html
-
 - https://jishuin.proginn.com/p/763bfbd38928
 
 - https://cloud.tencent.com/developer/article/1786522
 
-- http://www.ningco.cn/github_action_deploy_blog/
-
-- https://qdmana.com/2021/01/20210127094413405u.html

SECURITY.md

@@ -1,17 +1,32 @@
 # Security Policy
 
+The Docker image and code quality are regularly checked for vulnerabilities and CVEs by Snyk and CodeQL.
+
 ## Supported Versions
 
 The following versions are currently being supported with security updates:
 
-| Version | Supported          |
+| Version | Supported          | Rsync version          | Alpine version          | Support Until  |
-| ------- | ------------------ |
+| ------- | ------------------ | ------------------ | ------------------ | ------------------ | 
-| 5.x   | :white_check_mark: |
+| (``v8``) 8.0.2  | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 | LTS (2026-*) |
-| 4.1   | :white_check_mark: |
+| 8.0.1  | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 | Apr, 1st 2026 |
-| 4.0   | :white_check_mark: |
+| 8.0.0  | :x: EOL (due to regression #90) | >= 3.4.1-r1 | 3.23.0 | † Dec, 6th 2025 |
-| 3.0   | :x: |
+| 7.1.0  | :warning: DEPRECATED | >= 3.4.1-r0 | 3.22.1 | June, 1st 2026 ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) |
-| 2.0   | :x:                |
+| 7.0.2   | :warning: DEPRECATED | >= 3.4.0-r0 | 3.22.1 | June, 1st 2026 ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) |
-| 1.0   | :x:                |
+| 7.0.1   | :x: EOL | < 3.4.0 | 3.22.1 | † Dec, 6th 2025 |
+| 7.0.0   | :x: EOL | < 3.4.0| 3.19.1 | † Dec, 6th 2025 |
+| 6.x   | :x: EOL |< 3.4.0| 3.17.2 | † 2024 |
+| 5.x   | :x: EOL |< 3.4.0| 3.11 - 3.14.1 - 3.15 - 3.16 - 3.17.2 | † 2024 |
+| 4.x   | :x: EOL |< 3.4.0| 3.11 |  † |
+| 3.0   | :x: EOL |< 3.4.0| N/A | † |
+| 2.0   | :x: EOL               |< 3.4.0| Ubuntu | † |
+| 1.0   | :x: EOL               |< 3.4.0| Ubuntu | † |
+
+### Terminology
+
+EOL = End of life (no support/no updates)
+
+DEPRECATED = Close to EOL (support/no updates)
 
 ## Reporting a Vulnerability
 

action.yml

@@ -9,6 +9,14 @@ inputs:
     description: 'The remote shell argument'
     required: false
     default: ''
+  legacy_allow_rsa_hostkeys:
+    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
+    required: false
+    default: 'false'
+  strict_hostkeys_checking:
+    description: 'Controls strict host keys checking'
+    required: false
+    default: 'false'
   path:
     description: 'The local path'
     required: false
@@ -33,6 +41,10 @@ inputs:
     description: 'The remote key passphrase'
     required: false
     default: ''
+  debug:
+    description: 'Debug the action'
+    required: false
+    default: 'false'
 runs:
   using: 'docker'
   image: 'Dockerfile'

docker-rsync/README.md

@@ -0,0 +1,40 @@
+# Scripts
+
+Shell-scripts to help with managing SSH agents and known hosts files.
+
+### SSH Management
+
+#### ssh-init
+This command create the ``$HOME/.ssh`` folder with default permissions ``700``.
+
+### SSH-Agent Management
+
+#### agent-start
+This command starts the SSH agent, if it isn't already started (SSH_AGENT_PID set or ssh agent ID file found).
+It takes one optional argument, for the name of the agent to be started. Defaults to "default".
+This program needs to be source'd to work correctly.
+`source agent-start "default"`
+
+#### agent-stop
+This command stops the SSH agent, if it is started (SSH_AGENT_PID set or ssh agent ID file found).
+It takes one optional argument, for the name of the agent to be stopped. Defaults to "default".
+`agent-stop "my-agent-name"`
+
+#### agent-add
+This command adds a key to the currently running SSH agent. The key is taken from stdin, and the agent used is that in SSH_AGENT_PID.
+
+#### agent-askpass
+This command is called by ssh-add when the [SSH_ASKPASS](https://man.openbsd.org/ssh-add.1#ENVIRONMENT) variable is set active. The command returns the SSH_PASS to [ssh-askpass(1)](https://man.openbsd.org/ssh-askpass.1).
+
+This command is ignored by ssh-add if the key does not require a passphrase.
+
+### known_hosts management
+
+#### hosts-init
+This command creates the known_hosts file (``$HOME/.ssh/known_hosts``) with default permission ``600``.
+
+#### hosts-add
+This command adds an entry to the known hosts file, and ensures its permissions are correct. It takes one argument, which is the new key to add.
+
+#### hosts-clear
+This command truncates the known_hosts file.

docker-rsync/agent-add

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+
+source agent-start "${1:-default}"
+cat - | tr -d '\r' | DISPLAY=1 SSH_ASKPASS=agent-askpass ssh-add - >/dev/null

docker-rsync/agent-askpass

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+echo "$SSH_PASS"

docker-rsync/agent-start

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -eu
+
+FOLDER=${1:-default}
+STORE_PATH="/tmp/ssh-agent/$FOLDER"
+mkdir -p "$STORE_PATH"
+
+if [ -z "${SSH_AGENT_PID:-}" ]; then
+	if [ -f "$STORE_PATH/id" ]; then
+		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
+		export SSH_AGENT_PID
+
+		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
+		export SSH_AUTH_SOCK
+	else
+		eval "$(ssh-agent)" > /dev/null
+		echo "$SSH_AGENT_PID" > "$STORE_PATH"/id
+		echo "$SSH_AUTH_SOCK" > "$STORE_PATH"/sock
+	fi
+fi

docker-rsync/agent-stop

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -eu
+
+if [ ! -z "$SSH_AGENT_PID" ]; then
+	# Here, the environment is set already, just kill the script.
+	eval $(ssh-agent -k) >/dev/null
+	exit $?
+else
+	# The env isn't set, construct the file path.
+	FOLDER=${1:-default}
+	STORE_PATH="/tmp/ssh-agent/$FOLDER"
+	if [ ! -d "$STORE_PATH" ]; then
+		echo "Store Path $STORE_PATH doesn't exist!" >&2
+		exit 1
+	fi
+
+	# And check our files exist.
+	if [ -f "$STORE_PATH/id" ]; then
+		# Grab our PID and socket.
+		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
+		export SSH_AGENT_PID
+		rm "$STORE_PATH/id"
+
+		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
+		export SSH_AUTH_SOCK
+		rm "$STORE_PATH/sock"
+
+
+		rmdir "$STORE_PATH"
+		eval $(ssh-agent -k) >/dev/null
+		exit $?
+	else
+		echo "SSH_AGENT_PID not set, $STORE_PATH/id doesn't exist!" >&2
+		exit 1
+	fi
+fi

docker-rsync/hosts-add

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+echo "$@" >> $HOME/.ssh/known_hosts

docker-rsync/hosts-clear

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+truncate -s 0 $HOME/.ssh/known_hosts

docker-rsync/hosts-init

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -eu
+
+if [ ! -f "$HOME/.ssh/known_hosts" ]; then
+    touch $HOME/.ssh/known_hosts
+fi
+
+chmod 600 $HOME/.ssh/known_hosts

docker-rsync/ssh-init

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eu
+
+if [ ! -d "$HOME/.ssh" ]; then
+    mkdir -m 700 $HOME/.ssh
+fi

entrypoint.sh

@@ -1,22 +1,55 @@
 #!/bin/sh
 
+set -eu
+
+if [ "${INPUT_DEBUG:-false}" = "true" ]; then
+    set -x
+fi
+
 if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
     echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
     exit 1
 fi
 
+# Initialize SSH and known hosts.
+source ssh-init
+source hosts-init
+
 # Start the SSH agent and load key.
 source agent-start "$GITHUB_ACTION"
 echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
 
-# Add strict errors.
-set -eu
-
 # Variables.
-SWITCHES="$INPUT_SWITCHES"
+LEGACY_RSA_HOSTKEYS=""
-RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
+if [ "${INPUT_LEGACY_ALLOW_RSA_HOSTKEYS:-false}" = "true" ]; then
+    LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
+fi
+
+STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=no"
+if [ "${INPUT_STRICT_HOSTKEYS_CHECKING:-false}" = "true" ]; then
+    STRICT_HOSTKEYS_CHECKING="-o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=yes"
+
+    key="$(ssh-keyscan -p "$INPUT_REMOTE_PORT" "$INPUT_REMOTE_HOST" 2>/dev/null | sed '/^#/d')" || key=""
+    if [ -n "$key" ]; then
+        # fingerprint verification
+        echo "$key" | ssh-keygen -lf -
+        # add to known hosts
+        echo "$key" | while IFS= read -r line; do hosts-add "$line"; done
+    else
+        echo "Warning: failed to fetch host key for $INPUT_REMOTE_HOST" >&2
+        exit 1
+    fi
+fi
+
+RSH="ssh $STRICT_HOSTKEYS_CHECKING $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
 LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
 DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"
 
 # Deploy.
-sh -c "rsync $SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
+sh -c "rsync $INPUT_SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
+
+# Clean up.
+source agent-stop "$GITHUB_ACTION"
+source hosts-clear
+
+exit 0

test/entrypoint.bats

@@ -0,0 +1,128 @@
+#!/usr/bin/env bats
+
+setup() {
+    # Create dummy binaries for sourcing
+    echo 'echo "source"' > source
+    echo 'echo "agent started"' > agent-start
+    echo 'echo "key added"' > agent-add
+    chmod +x source agent-start agent-add
+
+    # Create dummy rsync binary to capture its arguments
+    echo 'echo "rsync $@"' > rsync
+    chmod +x rsync
+
+    PATH="$PWD:$PATH"
+}
+
+teardown() {
+    rm -f source agent-start agent-add rsync ssh-keyscan hosts-add
+}
+
+@test "fails if INPUT_REMOTE_PATH is empty" {
+    export INPUT_REMOTE_PATH=" "
+    run ./entrypoint.sh
+    [ "$status" -eq 1 ]
+    [[ "${output}" == *"can not be empty"* ]]
+}
+
+@test "includes legacy RSA switches when allowed" {
+    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="true"
+    export INPUT_REMOTE_PATH="remote/"
+    export INPUT_REMOTE_KEY="dummy"
+    export INPUT_REMOTE_KEY_PASS="dummy"
+    export GITHUB_ACTION="dummy"
+    export INPUT_SWITCHES="-avz"
+    export INPUT_REMOTE_PORT="22"
+    export INPUT_RSH=""
+    export INPUT_PATH=""
+    export INPUT_REMOTE_USER="user"
+    export INPUT_REMOTE_HOST="localhost.local"
+    export GITHUB_WORKSPACE="/tmp"
+    export DSN="user@localhost.local"
+    export LOCAL_PATH="/tmp/"
+
+    run ./entrypoint.sh
+
+    [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 22  /tmp/ user@localhost.local:remote/"* ]]
+}
+
+@test "does not include legacy RSA switches when not allowed" {
+    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
+    export INPUT_REMOTE_PATH="remote/"
+    export INPUT_REMOTE_KEY="dummy"
+    export INPUT_REMOTE_KEY_PASS="dummy"
+    export GITHUB_ACTION="dummy"
+    export INPUT_SWITCHES="-avz"
+    export INPUT_REMOTE_PORT="22"
+    export INPUT_RSH=""
+    export INPUT_PATH=""
+    export INPUT_REMOTE_USER="user"
+    export INPUT_REMOTE_HOST="localhost.local"
+    export GITHUB_WORKSPACE="/tmp"
+    export DSN="user@localhost.local"
+    export LOCAL_PATH="/tmp/"
+
+    run ./entrypoint.sh
+    [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no  -p 22  /tmp/ user@localhost.local:remote/"* ]]
+}
+
+@test "includes STRICT_HOSTKEYS_CHECKING switches when allowed" {
+    # Set a fake HOME dir
+    local -r HOME="/tmp"
+
+    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
+    export INPUT_STRICT_HOSTKEYS_CHECKING="true"
+    export INPUT_REMOTE_PATH="remote/"
+    export INPUT_REMOTE_KEY="dummy"
+    export INPUT_REMOTE_KEY_PASS="dummy"
+    export GITHUB_ACTION="dummy"
+    export INPUT_SWITCHES="-avz"
+    export INPUT_REMOTE_PORT="22"
+    export INPUT_RSH=""
+    export INPUT_PATH=""
+    export INPUT_REMOTE_USER="user"
+    export INPUT_REMOTE_HOST="localhost.local"
+    export GITHUB_WORKSPACE="/tmp"
+    export DSN="user@localhost.local"
+    export LOCAL_PATH="/tmp/"
+
+    # Generate a mock key pair to test ssh-keyscan (entrypoint.sh:32)
+    rm -f "$HOME/mockKeyPair" "$HOME/mockKeyPair.pub" \
+    && ssh-keygen -t ed25519 -f "$HOME/mockKeyPair" -N '' -q -C '' \
+    && mockPublicKey=$(< "$HOME/mockKeyPair.pub")
+
+    # Create dummy ssh-keyscan binary to return $mockPublicKey
+    echo "echo 'localhost.local $mockPublicKey #Mock 1'" > ssh-keyscan
+    chmod +x ssh-keyscan
+
+    # Create dummy hosts-add binary to capture its arguments
+    echo 'echo "hosts-add $@"' > hosts-add
+    chmod +x hosts-add
+    
+    run ./entrypoint.sh
+
+    [[ "${output}" == *"hosts-add localhost.local ssh-ed25519"* ]]
+    [[ "${output}" == *"rsync -avz -e ssh -o UserKnownHostsFile=/tmp/.ssh/known_hosts -o StrictHostKeyChecking=yes  -p 22  /tmp/ user@localhost.local:remote/"* ]]
+}
+
+@test "does not includes STRICT_HOSTKEYS_CHECKING switches when not allowed" {
+    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
+    export INPUT_STRICT_HOSTKEYS_CHECKING="false"
+    export INPUT_REMOTE_PATH="remote/"
+    export INPUT_REMOTE_KEY="dummy"
+    export INPUT_REMOTE_KEY_PASS="dummy"
+    export GITHUB_ACTION="dummy"
+    export INPUT_SWITCHES="-avz"
+    export INPUT_REMOTE_PORT="22"
+    export INPUT_RSH=""
+    export INPUT_PATH=""
+    export INPUT_REMOTE_USER="user"
+    export INPUT_REMOTE_HOST="localhost.local"
+    export GITHUB_WORKSPACE="/tmp"
+    export DSN="user@localhost.local"
+    export LOCAL_PATH="/tmp/"
+    
+    run ./entrypoint.sh
+
+    [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no  -p 22  /tmp/ user@localhost.local:remote/"* ]]
+}