Hostux/github.com_burnett01_rsync-deployments
1
0
Fork 1
mirror of https://github.com/Burnett01/rsync-deployments.git synced 2025-12-13 17:42:18 +01:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: Hostux:master
Branches Tags
Hostux:master
Hostux:release/8.0.2
Hostux:fix/issue-90-alice
Hostux:rc/8.0.0
Hostux:copilot/fix-85
Hostux:drinternet-rsync-merge
Hostux:non-release/8.0.0
Hostux:release/7.0.1
Hostux:release/7.0.0
Hostux:release/6.0.0
Hostux:release/5.2.1
Hostux:release/5.3
Hostux:8.0.2
Hostux:8.0.1
Hostux:v8
Hostux:8.0.0
Hostux:7.1.0
Hostux:7.0.2
Hostux:7.0.1
Hostux:7.0.0
Hostux:6.0.0
Hostux:5.2.2
Hostux:5.2.1
Hostux:5.2
Hostux:5.1
Hostux:5.0
Hostux:4.1
Hostux:4.0
Hostux:3.0
Hostux:2.0
Hostux:1.0
..
compare: Hostux:5.0
Branches Tags
Hostux:master
Hostux:release/8.0.2
Hostux:fix/issue-90-alice
Hostux:rc/8.0.0
Hostux:copilot/fix-85
Hostux:drinternet-rsync-merge
Hostux:non-release/8.0.0
Hostux:release/7.0.1
Hostux:release/7.0.0
Hostux:release/6.0.0
Hostux:release/5.2.1
Hostux:release/5.3
Hostux:8.0.2
Hostux:8.0.1
Hostux:v8
Hostux:8.0.0
Hostux:7.1.0
Hostux:7.0.2
Hostux:7.0.1
Hostux:7.0.0
Hostux:6.0.0
Hostux:5.2.2
Hostux:5.2.1
Hostux:5.2
Hostux:5.1
Hostux:5.0
Hostux:4.1
Hostux:4.0
Hostux:3.0
Hostux:2.0
Hostux:1.0

No commits in common. "master" and "5.0" have entirely different histories.
master ... 5.0

22 changed files with 92 additions and 891 deletions
Show stats Expand all files Collapse all files

5
.dockerignore
View file

@ -1,5 +0,0 @@
Dockerfile
LICENSE
*.md
.git*
.github*

15
.editorconfig
View file

@ -1,15 +0,0 @@
root = true
[*]
charset = utf-8
end_of_line = lf
tab_width = 4
indent_size = 4
indent_style = space
max_line_length = 9999
insert_final_newline = true
trim_trailing_whitespace = true
[*.{yml,yaml}]
tab_width = 2
indent_size = 2

33
.github/ISSUE_TEMPLATE/bug_report.md vendored
View file

@ -1,33 +0,0 @@
---
name: Bug report
about: Create a report to help us improve
title: ''
labels: ''
assignees: ''
---
**Action version**
eg. 7.0.1
**Runner OS+Version**
eg. ubuntu-latest
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Additional context**
Add any other context about the problem here.

6
.github/dependabot.yml vendored
View file

@ -1,6 +0,0 @@
version: 2
updates:
- package-ecosystem: docker
directory: /
schedule:
interval: monthly

165
.github/workflows/ci-validating-linting-testing.yml vendored
View file

@ -1,165 +0,0 @@
# GitHub Actions CI workflow for rsync-deployments
# This workflow validates the action on every push and pull request by:
# - Running BATS tests for the entrypoint script
# - Validating the action.yml definition
# - Building and testing the Docker image
# - Checking file structure and permissions
# - Linting shell scripts
# - Running a final integration check
name: CI - Validating, Linting, Testing
permissions:
contents: read
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
test:
runs-on: ubuntu-latest
name: Test BATS Suite
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install BATS
run: |
sudo apt-get update
sudo apt-get install -y bats
- name: Run BATS tests
run: bats test/entrypoint.bats
validate-action:
runs-on: ubuntu-latest
name: Validate Action Definition
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Validate action.yml
run: |
# Check if action.yml exists and has required fields
if [ ! -f "action.yml" ]; then
echo "Error: action.yml not found"
exit 1
fi
# Basic validation that action.yml contains required fields
python3 -c "
import yaml
import sys
with open('action.yml', 'r') as f:
action = yaml.safe_load(f)
required_fields = ['name', 'description', 'inputs', 'runs']
for field in required_fields:
if field not in action:
print(f'Missing required field: {field}')
sys.exit(1)
# Check required inputs exist
required_inputs = ['switches', 'remote_path', 'remote_host', 'remote_user', 'remote_key']
for input_name in required_inputs:
if input_name not in action['inputs']:
print(f'Missing required input: {input_name}')
sys.exit(1)
if not action['inputs'][input_name].get('required', False):
print(f'Input {input_name} should be marked as required')
sys.exit(1)
print('Action definition is valid')
"
docker-build:
runs-on: ubuntu-latest
name: Build Docker Image
needs: [validate-action, action-structure]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image
run: |
echo "Building Docker image..."
docker build -t rsync-deployments . --no-cache
echo "Docker image built successfully"
action-structure:
runs-on: ubuntu-latest
name: Validate Action Structure
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Check required files
run: |
echo "Checking required files exist..."
# Check all required files exist
required_files=("action.yml" "Dockerfile" "entrypoint.sh")
for file in "${required_files[@]}"; do
if [ ! -f "$file" ]; then
echo "Error: Required file $file not found"
exit 1
fi
echo "✓ $file exists"
done
# Check entrypoint is executable
if [ ! -x "entrypoint.sh" ]; then
echo "Error: entrypoint.sh is not executable"
exit 1
fi
echo "✓ entrypoint.sh is executable"
# Check basic script syntax
bash -n entrypoint.sh
echo "✓ entrypoint.sh has valid syntax"
echo "All structure checks passed!"
lint-shell:
runs-on: ubuntu-latest
name: Lint Shell Scripts
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install ShellCheck
run: |
sudo apt-get update
sudo apt-get install -y shellcheck
- name: Lint entrypoint.sh
run: |
echo "Linting shell scripts..."
# Run shellcheck with exclusions for Docker-specific dependencies
shellcheck -e SC1091 -e SC3046 entrypoint.sh || {
echo "ShellCheck found issues, but running with Docker-specific exclusions..."
shellcheck -e SC1091 -e SC3046 entrypoint.sh
}
echo "Shell script linting completed"
integration-check:
runs-on: ubuntu-latest
name: Integration Check
needs: [test, validate-action, docker-build, action-structure, lint-shell]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Final integration check
run: |
echo "All CI jobs completed successfully!"
echo "✅ BATS tests passed"
echo "✅ Action definition validated"
echo "✅ Docker image built and tested"
echo "✅ File structure validated"
echo "✅ Shell scripts linted"
echo ""
echo "🎉 rsync-deployments action is ready for use!"

41
.github/workflows/snyk-docker-vulnerability-scan.yml vendored
View file

@ -1,41 +0,0 @@
name: Snyk Docker Vulnerability Scan
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
schedule:
- cron: '39 13 * * 4'
permissions:
contents: read
jobs:
snyk:
permissions:
contents: read
security-events: write
actions: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build a Docker image
run: docker build -t burnett01/rsync-deployments .
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: burnett01/rsync-deployments
args: --file=Dockerfile
- name: Output sarif file
run: cat snyk.sarif
- name: fix security-severity "null" to "0" for valid sarif format
run: |
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: snyk.sarif

12
Dockerfile
View file

@ -1,14 +1,6 @@
FROM alpine:3.23.0@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 AS base FROM drinternet/rsync:v1.2.0
RUN apk update && apk add --no-cache --upgrade rsync openssh openssl busybox
RUN rm -rf /var/cache/apk/*
COPY docker-rsync/* /bin/
RUN chmod +x /bin/agent-* /bin/ssh-* /bin/hosts-*
FROM base AS build
# Copy entrypoint
COPY entrypoint.sh /entrypoint.sh COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh RUN chmod +x /entrypoint.sh

5
LICENSE
View file

@ -1,8 +1,7 @@
MIT License MIT License
Copyright (c) 2019-2022 Contention Copyright (c) 2019-2021 Contention
Copyright (c) 2019-2025 Joshua Piper (Dr Internet) Copyright (c) 2019-2021 Burnett01
Copyright (c) 2019-2025 Burnett01
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

345
README.md
View file

@ -1,72 +1,20 @@
# rsync deployments # rsync deployments
[![CI - Validating, Linting, Testing](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml) This GitHub Action deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh.
[![Snyk Docker Vulnerability Scan](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml)
[![CodeQL](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql)
[![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates)
Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
This cross-platform GitHub Action deploys files in [`path`](#inputs) (relative to `GITHUB_WORKSPACE`) to a remote folder via rsync over ssh. The underlaying base-image of the docker-image is very small (Alpine (no cache)) which results in fast deployments.
Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`, such [actions/checkout](https://github.com/actions/checkout).
The base-image of this action is very small and based on **Alpine 3.23.0** (no cache) which results in fast deployments.
Alpine version: [3.23.0](https://www.alpinelinux.org/posts/Alpine-3.23.0-released.html)
Rsync version: [3.4.1-r1](https://download.samba.org/pub/rsync/NEWS#3.4.1)
## Current Version: v8 (8.0.2)
### Release channels:
| Version | Purpose | Immutable |
| ------- | ------------------ | ------------------ |
| ``v8`` (recommended) | latest MAJOR (pointer to 8.MINOR.PATCH) | no |
| 8.0.2 | latest MINOR+PATCH | yes |
| 7.1.0 | previous release ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) | yes |
Check [SECURITY.md](SECURITY.md) for support cycles.
--- ---
## How it works
```yml
name: DEPLOY
on:
push:
branches:
- master
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: rsync deployments
uses: burnett01/rsync-deployments@v8
with:
switches: -avzr --delete
path: src/
remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
```
## Inputs ## Inputs
- `debug`* - Whether to enable debug output. ("true" / "false") - Default: "false"
- `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete` - `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete`
- `rsh` - Remote shell commands - `rsh` - Remote shell commands
- `strict_hostkeys_checking` - Enables support for strict hostkeys (fingerprint) checking. ("true" / "false") - Default: "false" - `path` - The source path. Defaults to GITHUB_WORKSPACE
- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false") - Default: "false"
- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
- `remote_path`* - The deployment target path - `remote_path`* - The deployment target path
@ -76,9 +24,9 @@ jobs:
- `remote_user`* - The remote user - `remote_user`* - The remote user
- `remote_key`* - The remote ssh private key - `remote_key`* - The remote ssh key
- `remote_key_pass` - The remote ssh private key passphrase (if any) - `remote_key_pass` - The remote ssh key passphrase (if any)
``* = Required`` ``* = Required``
@ -88,15 +36,13 @@ This action needs secret variables for the ssh private key of your key pair. The
> Always use secrets when dealing with sensitive inputs! > Always use secrets when dealing with sensitive inputs!
For simplicity, we are using `REMOTE_*` as the secret variables throughout the examples. For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
## Example usage ## Example usage
For better **security** always use secrets for remote_host, remote_port, remote_user and remote_path inputs.
Simple: Simple:
```yml ```
name: DEPLOY name: DEPLOY
on: on:
push: push:
@ -107,235 +53,83 @@ jobs:
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v2
- name: rsync deployments - name: rsync deployments
uses: burnett01/rsync-deployments@v8 uses: burnett01/rsync-deployments@5.0
with: with:
switches: -avzr --delete switches: -avzr --delete
path: src/ path: src/
remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/ remote_path: /var/www/html/
remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com remote_host: example.com
remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22 remote_user: debian
remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu remote_key: ${{ secrets.DEPLOY_KEY }}
remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
``` ```
Advanced (with filters etc): Advanced:
```yml ```
jobs: jobs:
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v2
- name: rsync deployments - name: rsync deployments
uses: burnett01/rsync-deployments@v8 uses: burnett01/rsync-deployments@5.0
with: with:
switches: -avzr --delete --exclude="" --include="" --filter="" switches: -avzr --delete --exclude="" --include="" --filter=""
path: src/ path: src/
remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/ remote_path: /var/www/html/
remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com remote_host: example.com
remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22 remote_port: 5555
remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu remote_user: debian
remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }} remote_key: ${{ secrets.DEPLOY_KEY }}
```
For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
```
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: rsync deployments
uses: burnett01/rsync-deployments@5.0
with:
switches: -avzr --delete
path: src/
remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
``` ```
If your private key is passphrase protected you should use: If your private key is passphrase protected you should use:
```yml ```
jobs: jobs:
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v2
- name: rsync deployments - name: rsync deployments
uses: burnett01/rsync-deployments@v8 uses: burnett01/rsync-deployments@5.0
with: with:
switches: -avzr --delete switches: -avzr --delete
path: src/ path: src/
remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/ remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22 remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }} remote_key: ${{ secrets.DEPLOY_KEY }}
remote_key_pass: ${{ secrets.REMOTE_PRIVATE_KEY_PASS }} remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
``` ```
--- ---
#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+ ## Version 4.0 & 4.1
If your remote OpenSSH Server still uses RSA hostkeys, then you have to Looking for version 4.0 and 4.1?
manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: rsync deployments
uses: burnett01/rsync-deployments@v8
with:
switches: -avzr --delete
legacy_allow_rsa_hostkeys: "true"
path: src/
remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
```
See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
**Note:** Only use this if necessary. It's recommended to upgrade your remote OpenSSH server instead.
--
## Advanced Rsync switches/flags/options
For advanced rsync configuration options and switches, refer to the [rsync manual](https://linux.die.net/man/1/rsync).
---
## Troubleshooting
### SSH Permission Denied Errors
If you encounter "Permission denied (publickey,password)" errors, here are the most common solutions:
#### 1. SSH Key Setup
Ensure your SSH key pair is correctly generated and configured:
```bash
# Generate a new SSH key pair (recommended: Ed25519 or RSA 4096-bit)
ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
# OR for RSA:
ssh-keygen -t rsa -b 4096 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
```
**Important Steps:**
- Add the **public key** (`.pub` file) to your server's `~/.ssh/authorized_keys`
- Add the **private key** (without `.pub` extension) to GitHub Secrets as `REMOTE_PRIVATE_KEY`
- Ensure correct file permissions on your server:
```bash
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
```
For detailed information on creating and managing SSH keys, see [GitHub's SSH Key Guide](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent).
#### 2. ``remote_path`` permissions
Make sure the ``remote_user`` has write access to ``remote_path``.
See: https://github.com/Burnett01/rsync-deployments/issues/81#issuecomment-3308152891
#### 3. Firewall / GitHub Actions IP Restrictions
If your remote server has firewall restrictions:
- **Option A:** Whitelist [GitHub Actions IP ranges](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#ip-addresses) (Azure-based)
- **Option B:** Use self-hosted runners on your server (recommended for strict firewall environments)
### Excluding files/folders (eg .git)
By default, rsync copies dot files and folder if present at ``path:``. To exclude them, you can use the ``--exclude`` switch:
```yml
switches: -avzr --delete --exclude='.git/'
```
Other common exclusions:
```yml
switches: -avzr --delete --exclude='.git/' --exclude='node_modules/' --exclude='.env'
```
More advanced examples:
- https://github.com/Burnett01/rsync-deployments/issues/5#issuecomment-667589874
- https://github.com/Burnett01/rsync-deployments/issues/16
- https://github.com/Burnett01/rsync-deployments/issues/71
- https://github.com/Burnett01/rsync-deployments/issues/52
### Missing rsync on Remote Host
If the action fails with "rsync: command not found" or similar errors, rsync is not installed on your remote server. Install it using your system's package manager:
**Ubuntu/Debian:**
```bash
sudo apt-get update && sudo apt-get install rsync
```
**CentOS/RHEL/Rocky/AlmaLinux:**
```bash
sudo yum install rsync
# OR on newer versions:
sudo dnf install rsync
```
**Alpine Linux:**
```bash
sudo apk add rsync
```
---
## Versions
## Version 8.0.0 (EOL due to regression -> fixed via 8.0.1 & 8.0.2)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/8.0.0 (alpine 3.23.0)
## Version 7.1.0
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/7.1.0 (alpine 3.22.1)
## Version 7.0.2 (DEPRECATED)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/7.0.2 (alpine 3.22.1)
---
## Version 7.0.0 & 7.0.1 (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/7.0.0 (alpine 3.19.1)
- https://github.com/Burnett01/rsync-deployments/tree/7.0.1 (alpine 3.22.1)
---
## Version 6.0 (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/6.0 (alpine 3.17.2)
---
## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/5.0 (alpine 3.11.x)
- https://github.com/Burnett01/rsync-deployments/tree/5.1 (alpine 3.14.1)
- https://github.com/Burnett01/rsync-deployments/tree/5.2 (alpine 3.15.0)
- https://github.com/Burnett01/rsync-deployments/tree/5.2.1 (alpine 3.16.1)
- https://github.com/Burnett01/rsync-deployments/tree/5.2.2 (alpine 3.17.2)
---
## Version 4.0 & 4.1 (EOL)
Check here: Check here:
@ -346,7 +140,9 @@ Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image.
--- ---
## Version 3.0 (EOL) ## Version 3.0
Looking for version 3.0?
Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0 Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0
@ -356,6 +152,8 @@ based on ``alpine:latest``and heavily optimized for rsync.
## Version 2.0 (EOL) ## Version 2.0 (EOL)
Looking for version 2.0?
Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0 Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0
Version 2.0 uses a larger base-image (``ubuntu:latest``).<br> Version 2.0 uses a larger base-image (``ubuntu:latest``).<br>
@ -363,6 +161,8 @@ Consider upgrading to 3.0 for even faster deployments.
## Version 1.0 (EOL) ## Version 1.0 (EOL)
Looking for version 1.0?
Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0 Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0
Please note that version 1.0 has reached end of life state. Please note that version 1.0 has reached end of life state.
@ -372,33 +172,36 @@ Please note that version 1.0 has reached end of life state.
## Acknowledgements ## Acknowledgements
+ This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments) + This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
+ docker-rsync [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker) + Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
--- ---
## Media & Pingback ## Media
This action was featured in multiple blogs across the globe: This action was featured in multiple blogs across the globe:
> Disclaimer: The author & co-authors are not responsible for the content of the site-links below. - https://leobrack.co.uk/blog/2020-02-15-automatically-push-changes-to-your-live-site-with-github-actions
- https://hosting.xyz/wiki/hosting/other/github-actions/ - https://blog.maniak.co/ci-cd-for-wordpress/
- https://www.alexander-palm.de/2025/07/22/sichere-rsync-deployments-mit-github-actions-und-rrsync/
- https://lab.uberspace.de/howto_automatic-deployment/
- https://blog.devops.dev/setting-up-an-ubuntu-instance-for-nodejs-apps-in-ovh-cloud-using-nginx-pm2-github-actions-7618c768d081
- https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/ - https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
- https://www.vektor-inc.co.jp/post/github-actions-deploy/ - https://www.vektor-inc.co.jp/post/github-actions-deploy/
- https://ews.ink/tech/blog-deploy-2/
- https://webpick.info/automatiser-avec-github-actions/ - https://webpick.info/automatiser-avec-github-actions/
- https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/ - https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
- https://mikael.koutero.me/posts/hugo-github-actions-deploy-rsync/
- https://cdmana.com/2021/02/20210208122400688I.html
- https://jishuin.proginn.com/p/763bfbd38928 - https://jishuin.proginn.com/p/763bfbd38928
- https://cloud.tencent.com/developer/article/1786522 - https://cloud.tencent.com/developer/article/1786522
- http://www.ningco.cn/github_action_deploy_blog/
- https://qdmana.com/2021/01/20210127094413405u.html

31
SECURITY.md
View file

@ -1,32 +1,17 @@
# Security Policy # Security Policy
The Docker image and code quality are regularly checked for vulnerabilities and CVEs by Snyk and CodeQL.
## Supported Versions ## Supported Versions
The following versions are currently being supported with security updates: The following versions are currently being supported with security updates:
| Version | Supported | Rsync version | Alpine version | Support Until | | Version | Supported |
| ------- | ------------------ | ------------------ | ------------------ | ------------------ | | ------- | ------------------ |
| (``v8``) 8.0.2 | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 | LTS (2026-*) | | 5.0 | :white_check_mark: |
| 8.0.1 | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 | Apr, 1st 2026 | | 4.1 | :white_check_mark: |
| 8.0.0 | :x: EOL (due to regression #90) | >= 3.4.1-r1 | 3.23.0 | † Dec, 6th 2025 | | 4.0 | :white_check_mark: |
| 7.1.0 | :warning: DEPRECATED | >= 3.4.1-r0 | 3.22.1 | June, 1st 2026 ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) | | 3.0 | :white_check_mark: |
| 7.0.2 | :warning: DEPRECATED | >= 3.4.0-r0 | 3.22.1 | June, 1st 2026 ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) | | 2.0 | :x: |
| 7.0.1 | :x: EOL | < 3.4.0 | 3.22.1 | Dec, 6th 2025 | | 1.0 | :x: |
| 7.0.0 | :x: EOL | < 3.4.0| 3.19.1 | Dec, 6th 2025 |
| 6.x | :x: EOL |< 3.4.0| 3.17.2 | 2024 |
| 5.x | :x: EOL |< 3.4.0| 3.11 - 3.14.1 - 3.15 - 3.16 - 3.17.2 | 2024 |
| 4.x | :x: EOL |< 3.4.0| 3.11 | |
| 3.0 | :x: EOL |< 3.4.0| N/A | |
| 2.0 | :x: EOL |< 3.4.0| Ubuntu | |
| 1.0 | :x: EOL |< 3.4.0| Ubuntu | |
### Terminology
EOL = End of life (no support/no updates)
DEPRECATED = Close to EOL (support/no updates)
## Reporting a Vulnerability ## Reporting a Vulnerability

12
action.yml
View file

@ -9,14 +9,6 @@ inputs:
description: 'The remote shell argument' description: 'The remote shell argument'
required: false required: false
default: '' default: ''
legacy_allow_rsa_hostkeys:
description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
required: false
default: 'false'
strict_hostkeys_checking:
description: 'Controls strict host keys checking'
required: false
default: 'false'
path: path:
description: 'The local path' description: 'The local path'
required: false required: false
@ -41,10 +33,6 @@ inputs:
description: 'The remote key passphrase' description: 'The remote key passphrase'
required: false required: false
default: '' default: ''
debug:
description: 'Debug the action'
required: false
default: 'false'
runs: runs:
using: 'docker' using: 'docker'
image: 'Dockerfile' image: 'Dockerfile'

40
docker-rsync/README.md
View file

@ -1,40 +0,0 @@
# Scripts
Shell-scripts to help with managing SSH agents and known hosts files.
### SSH Management
#### ssh-init
This command create the ``$HOME/.ssh`` folder with default permissions ``700``.
### SSH-Agent Management
#### agent-start
This command starts the SSH agent, if it isn't already started (SSH_AGENT_PID set or ssh agent ID file found).
It takes one optional argument, for the name of the agent to be started. Defaults to "default".
This program needs to be source'd to work correctly.
`source agent-start "default"`
#### agent-stop
This command stops the SSH agent, if it is started (SSH_AGENT_PID set or ssh agent ID file found).
It takes one optional argument, for the name of the agent to be stopped. Defaults to "default".
`agent-stop "my-agent-name"`
#### agent-add
This command adds a key to the currently running SSH agent. The key is taken from stdin, and the agent used is that in SSH_AGENT_PID.
#### agent-askpass
This command is called by ssh-add when the [SSH_ASKPASS](https://man.openbsd.org/ssh-add.1#ENVIRONMENT) variable is set active. The command returns the SSH_PASS to [ssh-askpass(1)](https://man.openbsd.org/ssh-askpass.1).
This command is ignored by ssh-add if the key does not require a passphrase.
### known_hosts management
#### hosts-init
This command creates the known_hosts file (``$HOME/.ssh/known_hosts``) with default permission ``600``.
#### hosts-add
This command adds an entry to the known hosts file, and ensures its permissions are correct. It takes one argument, which is the new key to add.
#### hosts-clear
This command truncates the known_hosts file.

6
docker-rsync/agent-add
View file

@ -1,6 +0,0 @@
#!/bin/sh
set -eu
source agent-start "${1:-default}"
cat - | tr -d '\r' | DISPLAY=1 SSH_ASKPASS=agent-askpass ssh-add - >/dev/null

5
docker-rsync/agent-askpass
View file

@ -1,5 +0,0 @@
#!/bin/sh
set -eu
echo "$SSH_PASS"

21
docker-rsync/agent-start
View file

@ -1,21 +0,0 @@
#!/bin/sh
set -eu
FOLDER=${1:-default}
STORE_PATH="/tmp/ssh-agent/$FOLDER"
mkdir -p "$STORE_PATH"
if [ -z "${SSH_AGENT_PID:-}" ]; then
if [ -f "$STORE_PATH/id" ]; then
SSH_AGENT_PID=$(cat "$STORE_PATH/id")
export SSH_AGENT_PID
SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
export SSH_AUTH_SOCK
else
eval "$(ssh-agent)" > /dev/null
echo "$SSH_AGENT_PID" > "$STORE_PATH"/id
echo "$SSH_AUTH_SOCK" > "$STORE_PATH"/sock
fi
fi

37
docker-rsync/agent-stop
View file

@ -1,37 +0,0 @@
#!/bin/sh
set -eu
if [ ! -z "$SSH_AGENT_PID" ]; then
# Here, the environment is set already, just kill the script.
eval $(ssh-agent -k) >/dev/null
exit $?
else
# The env isn't set, construct the file path.
FOLDER=${1:-default}
STORE_PATH="/tmp/ssh-agent/$FOLDER"
if [ ! -d "$STORE_PATH" ]; then
echo "Store Path $STORE_PATH doesn't exist!" >&2
exit 1
fi
# And check our files exist.
if [ -f "$STORE_PATH/id" ]; then
# Grab our PID and socket.
SSH_AGENT_PID=$(cat "$STORE_PATH/id")
export SSH_AGENT_PID
rm "$STORE_PATH/id"
SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
export SSH_AUTH_SOCK
rm "$STORE_PATH/sock"
rmdir "$STORE_PATH"
eval $(ssh-agent -k) >/dev/null
exit $?
else
echo "SSH_AGENT_PID not set, $STORE_PATH/id doesn't exist!" >&2
exit 1
fi
fi

5
docker-rsync/hosts-add
View file

@ -1,5 +0,0 @@
#!/bin/sh
set -eu
echo "$@" >> $HOME/.ssh/known_hosts

5
docker-rsync/hosts-clear
View file

@ -1,5 +0,0 @@
#!/bin/sh
set -eu
truncate -s 0 $HOME/.ssh/known_hosts

9
docker-rsync/hosts-init
View file

@ -1,9 +0,0 @@
#!/bin/sh
set -eu
if [ ! -f "$HOME/.ssh/known_hosts" ]; then
touch $HOME/.ssh/known_hosts
fi
chmod 600 $HOME/.ssh/known_hosts

7
docker-rsync/ssh-init
View file

@ -1,7 +0,0 @@
#!/bin/sh
set -eu
if [ ! -d "$HOME/.ssh" ]; then
mkdir -m 700 $HOME/.ssh
fi

50
entrypoint.sh
View file

@ -1,55 +1,17 @@
#!/bin/sh #!/bin/sh
set -eu
if [ "${INPUT_DEBUG:-false}" = "true" ]; then
set -x
fi
if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
exit 1
fi
# Initialize SSH and known hosts.
source ssh-init
source hosts-init
# Start the SSH agent and load key. # Start the SSH agent and load key.
source agent-start "$GITHUB_ACTION" source agent-start "$GITHUB_ACTION"
echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
# Add strict errors.
set -eu
# Variables. # Variables.
LEGACY_RSA_HOSTKEYS="" SWITCHES="$INPUT_SWITCHES"
if [ "${INPUT_LEGACY_ALLOW_RSA_HOSTKEYS:-false}" = "true" ]; then RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
fi
STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=no"
if [ "${INPUT_STRICT_HOSTKEYS_CHECKING:-false}" = "true" ]; then
STRICT_HOSTKEYS_CHECKING="-o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=yes"
key="$(ssh-keyscan -p "$INPUT_REMOTE_PORT" "$INPUT_REMOTE_HOST" 2>/dev/null | sed '/^#/d')" || key=""
if [ -n "$key" ]; then
# fingerprint verification
echo "$key" | ssh-keygen -lf -
# add to known hosts
echo "$key" | while IFS= read -r line; do hosts-add "$line"; done
else
echo "Warning: failed to fetch host key for $INPUT_REMOTE_HOST" >&2
exit 1
fi
fi
RSH="ssh $STRICT_HOSTKEYS_CHECKING $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH" LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST" DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"
# Deploy. # Deploy.
sh -c "rsync $INPUT_SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH" sh -c "rsync $SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
# Clean up.
source agent-stop "$GITHUB_ACTION"
source hosts-clear
exit 0

128
test/entrypoint.bats
View file

@ -1,128 +0,0 @@
#!/usr/bin/env bats
setup() {
# Create dummy binaries for sourcing
echo 'echo "source"' > source
echo 'echo "agent started"' > agent-start
echo 'echo "key added"' > agent-add
chmod +x source agent-start agent-add
# Create dummy rsync binary to capture its arguments
echo 'echo "rsync $@"' > rsync
chmod +x rsync
PATH="$PWD:$PATH"
}
teardown() {
rm -f source agent-start agent-add rsync ssh-keyscan hosts-add
}
@test "fails if INPUT_REMOTE_PATH is empty" {
export INPUT_REMOTE_PATH=" "
run ./entrypoint.sh
[ "$status" -eq 1 ]
[[ "${output}" == *"can not be empty"* ]]
}
@test "includes legacy RSA switches when allowed" {
export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="true"
export INPUT_REMOTE_PATH="remote/"
export INPUT_REMOTE_KEY="dummy"
export INPUT_REMOTE_KEY_PASS="dummy"
export GITHUB_ACTION="dummy"
export INPUT_SWITCHES="-avz"
export INPUT_REMOTE_PORT="22"
export INPUT_RSH=""
export INPUT_PATH=""
export INPUT_REMOTE_USER="user"
export INPUT_REMOTE_HOST="localhost.local"
export GITHUB_WORKSPACE="/tmp"
export DSN="user@localhost.local"
export LOCAL_PATH="/tmp/"
run ./entrypoint.sh
[[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 22 /tmp/ user@localhost.local:remote/"* ]]
}
@test "does not include legacy RSA switches when not allowed" {
export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
export INPUT_REMOTE_PATH="remote/"
export INPUT_REMOTE_KEY="dummy"
export INPUT_REMOTE_KEY_PASS="dummy"
export GITHUB_ACTION="dummy"
export INPUT_SWITCHES="-avz"
export INPUT_REMOTE_PORT="22"
export INPUT_RSH=""
export INPUT_PATH=""
export INPUT_REMOTE_USER="user"
export INPUT_REMOTE_HOST="localhost.local"
export GITHUB_WORKSPACE="/tmp"
export DSN="user@localhost.local"
export LOCAL_PATH="/tmp/"
run ./entrypoint.sh
[[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -p 22 /tmp/ user@localhost.local:remote/"* ]]
}
@test "includes STRICT_HOSTKEYS_CHECKING switches when allowed" {
# Set a fake HOME dir
local -r HOME="/tmp"
export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
export INPUT_STRICT_HOSTKEYS_CHECKING="true"
export INPUT_REMOTE_PATH="remote/"
export INPUT_REMOTE_KEY="dummy"
export INPUT_REMOTE_KEY_PASS="dummy"
export GITHUB_ACTION="dummy"
export INPUT_SWITCHES="-avz"
export INPUT_REMOTE_PORT="22"
export INPUT_RSH=""
export INPUT_PATH=""
export INPUT_REMOTE_USER="user"
export INPUT_REMOTE_HOST="localhost.local"
export GITHUB_WORKSPACE="/tmp"
export DSN="user@localhost.local"
export LOCAL_PATH="/tmp/"
# Generate a mock key pair to test ssh-keyscan (entrypoint.sh:32)
rm -f "$HOME/mockKeyPair" "$HOME/mockKeyPair.pub" \
&& ssh-keygen -t ed25519 -f "$HOME/mockKeyPair" -N '' -q -C '' \
&& mockPublicKey=$(< "$HOME/mockKeyPair.pub")
# Create dummy ssh-keyscan binary to return $mockPublicKey
echo "echo 'localhost.local $mockPublicKey #Mock 1'" > ssh-keyscan
chmod +x ssh-keyscan
# Create dummy hosts-add binary to capture its arguments
echo 'echo "hosts-add $@"' > hosts-add
chmod +x hosts-add
run ./entrypoint.sh
[[ "${output}" == *"hosts-add localhost.local ssh-ed25519"* ]]
[[ "${output}" == *"rsync -avz -e ssh -o UserKnownHostsFile=/tmp/.ssh/known_hosts -o StrictHostKeyChecking=yes -p 22 /tmp/ user@localhost.local:remote/"* ]]
}
@test "does not includes STRICT_HOSTKEYS_CHECKING switches when not allowed" {
export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
export INPUT_STRICT_HOSTKEYS_CHECKING="false"
export INPUT_REMOTE_PATH="remote/"
export INPUT_REMOTE_KEY="dummy"
export INPUT_REMOTE_KEY_PASS="dummy"
export GITHUB_ACTION="dummy"
export INPUT_SWITCHES="-avz"
export INPUT_REMOTE_PORT="22"
export INPUT_RSH=""
export INPUT_PATH=""
export INPUT_REMOTE_USER="user"
export INPUT_REMOTE_HOST="localhost.local"
export GITHUB_WORKSPACE="/tmp"
export DSN="user@localhost.local"
export LOCAL_PATH="/tmp/"
run ./entrypoint.sh
[[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -p 22 /tmp/ user@localhost.local:remote/"* ]]
}