2025-12-13 17:42:18 +01:00
21 changed files with 84 additions and 873 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,5 +0,0 @@
 Dockerfile
 LICENSE
 *.md
 .git*
 .github*
--- a/.editorconfig
+++ b/.editorconfig
@ -1,15 +0,0 @@
 root = true
 [*]
 charset = utf-8
 end_of_line = lf
 tab_width = 4
 indent_size = 4
 indent_style = space
 max_line_length = 9999
 insert_final_newline = true
 trim_trailing_whitespace = true
 [*.{yml,yaml}]
 tab_width = 2
 indent_size = 2
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,33 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ''
 labels: ''
 assignees: ''
 ---
 **Action version**
 eg. 7.0.1
 **Runner OS+Version**
 eg. ubuntu-latest
 **Describe the bug**
 A clear and concise description of what the bug is.
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to '...'
 2. Click on '....'
 3. Scroll down to '....'
 4. See error
 **Expected behavior**
 A clear and concise description of what you expected to happen.
 **Screenshots**
 If applicable, add screenshots to help explain your problem.
 **Additional context**
 Add any other context about the problem here.
--- a/.github/workflows/ci-validating-linting-testing.yml
+++ b/.github/workflows/ci-validating-linting-testing.yml
@ -1,165 +0,0 @@
 # GitHub Actions CI workflow for rsync-deployments
 # This workflow validates the action on every push and pull request by:
 # - Running BATS tests for the entrypoint script
 # - Validating the action.yml definition
 # - Building and testing the Docker image
 # - Checking file structure and permissions
 # - Linting shell scripts
 # - Running a final integration check
 name: CI - Validating, Linting, Testing
 permissions:
  contents: read
 on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
 jobs:
  test:
    runs-on: ubuntu-latest
    name: Test BATS Suite
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Install BATS
      run: |
        sudo apt-get update
        sudo apt-get install -y bats
    - name: Run BATS tests
      run: bats test/entrypoint.bats
  validate-action:
    runs-on: ubuntu-latest
    name: Validate Action Definition
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Validate action.yml
      run: |
        # Check if action.yml exists and has required fields
        if [ ! -f "action.yml" ]; then
          echo "Error: action.yml not found"
          exit 1
        fi
        # Basic validation that action.yml contains required fields
        python3 -c "
        import yaml
        import sys
        with open('action.yml', 'r') as f:
            action = yaml.safe_load(f)
        required_fields = ['name', 'description', 'inputs', 'runs']
        for field in required_fields:
            if field not in action:
                print(f'Missing required field: {field}')
                sys.exit(1)
        # Check required inputs exist
        required_inputs = ['switches', 'remote_path', 'remote_host', 'remote_user', 'remote_key']
        for input_name in required_inputs:
            if input_name not in action['inputs']:
                print(f'Missing required input: {input_name}')
                sys.exit(1)
            if not action['inputs'][input_name].get('required', False):
                print(f'Input {input_name} should be marked as required')
                sys.exit(1)
        print('Action definition is valid')
        "
  docker-build:
    runs-on: ubuntu-latest
    name: Build Docker Image
    needs: [validate-action, action-structure]
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Build Docker image
      run: |
        echo "Building Docker image..."
        docker build -t rsync-deployments . --no-cache
        echo "Docker image built successfully"
  action-structure:
    runs-on: ubuntu-latest
    name: Validate Action Structure
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Check required files
      run: |
        echo "Checking required files exist..."
        # Check all required files exist
        required_files=("action.yml" "Dockerfile" "entrypoint.sh")
        for file in "${required_files[@]}"; do
          if [ ! -f "$file" ]; then
            echo "Error: Required file $file not found"
            exit 1
          fi
          echo "✓ $file exists"
        done
        # Check entrypoint is executable
        if [ ! -x "entrypoint.sh" ]; then
          echo "Error: entrypoint.sh is not executable"
          exit 1
        fi
        echo "✓ entrypoint.sh is executable"
        # Check basic script syntax
        bash -n entrypoint.sh
        echo "✓ entrypoint.sh has valid syntax"
        echo "All structure checks passed!"
  lint-shell:
    runs-on: ubuntu-latest
    name: Lint Shell Scripts
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Install ShellCheck
      run: |
        sudo apt-get update
        sudo apt-get install -y shellcheck
    - name: Lint entrypoint.sh
      run: |
        echo "Linting shell scripts..."
        # Run shellcheck with exclusions for Docker-specific dependencies
        shellcheck -e SC1091 -e SC3046 entrypoint.sh || {
          echo "ShellCheck found issues, but running with Docker-specific exclusions..."
          shellcheck -e SC1091 -e SC3046 entrypoint.sh
        }
        echo "Shell script linting completed"
  integration-check:
    runs-on: ubuntu-latest
    name: Integration Check
    needs: [test, validate-action, docker-build, action-structure, lint-shell]
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
    - name: Final integration check
      run: |
        echo "All CI jobs completed successfully!"
        echo "✅ BATS tests passed"
        echo "✅ Action definition validated"
        echo "✅ Docker image built and tested"
        echo "✅ File structure validated"
        echo "✅ Shell scripts linted"
        echo ""
        echo "🎉 rsync-deployments action is ready for use!"
--- a/.github/workflows/snyk-docker-vulnerability-scan.yml
+++ b/.github/workflows/snyk-docker-vulnerability-scan.yml
@ -1,41 +0,0 @@
 name: Snyk Docker Vulnerability Scan
 on:
  push:
    branches: [ "master" ]
  pull_request:
    branches: [ "master" ]
  schedule:
    - cron: '39 13 * * 4'
 permissions:
  contents: read
 jobs:
  snyk:
    permissions:
      contents: read
      security-events: write
      actions: read
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: Build a Docker image
      run: docker build -t burnett01/rsync-deployments .
    - name: Run Snyk to check Docker image for vulnerabilities
      continue-on-error: true
      uses: snyk/actions/docker@master
      env:
        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
      with:
        image: burnett01/rsync-deployments
        args: --file=Dockerfile
    - name: Output sarif file
      run: cat snyk.sarif
    - name: fix security-severity "null" to "0" for valid sarif format
      run: |
        sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
    - name: Upload result to GitHub Code Scanning
      uses: github/codeql-action/upload-sarif@v4
      with:
        sarif_file: snyk.sarif
--- a/12
+++ b/12
@ -1,14 +1,6 @@
-FROM alpine:3.23.0@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 AS base
+FROM drinternet/rsync:v1.4.3
 RUN apk update && apk add --no-cache --upgrade rsync openssh openssl busybox
 RUN rm -rf /var/cache/apk/*
 COPY docker-rsync/* /bin/
 RUN chmod +x /bin/agent-* /bin/ssh-* /bin/hosts-*
 FROM base AS build
 # Copy entrypoint
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
--- a/3
+++ b/3
@ -1,8 +1,7 @@
 MIT License
 Copyright (c) 2019-2022 Contention
-Copyright (c) 2019-2025 Joshua Piper (Dr Internet)
+Copyright (c) 2019-2022 Burnett01
 Copyright (c) 2019-2025 Burnett01
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -1,71 +1,19 @@
 # rsync deployments
-[![CI - Validating, Linting, Testing](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml) 
+This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
 [![Snyk Docker Vulnerability Scan](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml) 
 [![CodeQL](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql) 
 [![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates)
 Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
-This cross-platform GitHub Action deploys files in [`path`](#inputs) (relative to  `GITHUB_WORKSPACE`) to a remote folder via rsync over ssh. 
+The base-image (drinternet/rsync) of this action is very small and is based on Alpine 3.17.2 (no cache) which results in fast deployments.
 Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`, such [actions/checkout](https://github.com/actions/checkout).
 The base-image of this action is very small and based on **Alpine 3.23.0** (no cache) which results in fast deployments.
 Alpine version: [3.23.0](https://www.alpinelinux.org/posts/Alpine-3.23.0-released.html)
 Rsync version: [3.4.1-r1](https://download.samba.org/pub/rsync/NEWS#3.4.1)
 ## Current Version: v8 (8.0.2)
 ### Release channels:
 | Version | Purpose          | Immutable  | 
 | ------- | ------------------ | ------------------ | 
 | ``v8`` (recommended)  |  latest MAJOR (pointer to 8.MINOR.PATCH) | no |
 | 8.0.2  | latest MINOR+PATCH | yes |
 | 7.1.0   | previous release ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) | yes |
 Check [SECURITY.md](SECURITY.md) for support cycles.
 ---
 ## How it works
 ```yml
 name: DEPLOY
 on:
  push:
    branches:
    - master
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6
    - name: rsync deployments
      uses: burnett01/rsync-deployments@v8
      with:
        switches: -avzr --delete
        path: src/
        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
 ```
 ## Inputs
 - `debug`* - Whether to enable debug output. ("true" / "false") - Default: "false"
 - `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete`
 - `rsh` - Remote shell commands
 - `strict_hostkeys_checking` - Enables support for strict hostkeys (fingerprint) checking. ("true" / "false") - Default: "false"
 - `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false") - Default: "false"
 - `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
 - `remote_path`* - The deployment target path
@ -76,9 +24,9 @@ jobs:
 - `remote_user`* - The remote user
- `remote_key`* - The remote ssh private key
+- `remote_key`* - The remote ssh key
- `remote_key_pass` - The remote ssh private key passphrase (if any)
+- `remote_key_pass` - The remote ssh key passphrase (if any)
 ``* = Required``
@ -88,15 +36,13 @@ This action needs secret variables for the ssh private key of your key pair. The
 > Always use secrets when dealing with sensitive inputs!
-For simplicity, we are using `REMOTE_*` as the secret variables throughout the examples.
+For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
 ## Example usage
 For better **security** always use secrets for remote_host, remote_port, remote_user and remote_path inputs.
 Simple:
-```yml
+```
 name: DEPLOY
 on:
  push:
@ -107,223 +53,81 @@ jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v2
    - name: rsync deployments
-      uses: burnett01/rsync-deployments@v8
+      uses: burnett01/rsync-deployments@5.2.2
      with:
        switches: -avzr --delete
        path: src/
-        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
+        remote_path: /var/www/html/
-        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
+        remote_host: example.com
-        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
+        remote_user: debian
-        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
+        remote_key: ${{ secrets.DEPLOY_KEY }}
        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
 ```
-Advanced (with filters etc):
+Advanced:
-```yml
+```
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v2
    - name: rsync deployments
-      uses: burnett01/rsync-deployments@v8
+      uses: burnett01/rsync-deployments@5.2.2
      with:
        switches: -avzr --delete --exclude="" --include="" --filter=""
        path: src/
-        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
+        remote_path: /var/www/html/
-        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
+        remote_host: example.com
-        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
+        remote_port: 5555
-        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
+        remote_user: debian
-        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
+        remote_key: ${{ secrets.DEPLOY_KEY }}
 ```
 For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
 ```
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: rsync deployments
      uses: burnett01/rsync-deployments@5.2.2
      with:
        switches: -avzr --delete
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}
 ```
 If your private key is passphrase protected you should use:
-```yml
+```
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v2
    - name: rsync deployments
-      uses: burnett01/rsync-deployments@v8
+      uses: burnett01/rsync-deployments@5.2.2
      with:
        switches: -avzr --delete
        path: src/
-        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
+        remote_path: ${{ secrets.DEPLOY_PATH }}
-        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
+        remote_host: ${{ secrets.DEPLOY_HOST }}
-        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
+        remote_port: ${{ secrets.DEPLOY_PORT }}
-        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
+        remote_user: ${{ secrets.DEPLOY_USER }}
-        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
+        remote_key: ${{ secrets.DEPLOY_KEY }}
-        remote_key_pass: ${{ secrets.REMOTE_PRIVATE_KEY_PASS }}
+        remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
 ```
 ---
-#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
+## Version 5.0, 5.1 & 5.2
 If your remote OpenSSH Server still uses RSA hostkeys, then you have to
 manually enable legacy support for this by using ``legacy_allow_rsa_hostkeys: "true"``.
 ```yml
 jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v6
    - name: rsync deployments
      uses: burnett01/rsync-deployments@v8
      with:
        switches: -avzr --delete
        legacy_allow_rsa_hostkeys: "true"
        path: src/
        remote_path: ${{ secrets.REMOTE_PATH }} # ex: /var/www/html/
        remote_host: ${{ secrets.REMOTE_HOST }} # ex: example.com
        remote_port: ${{ secrets.REMOTE_PORT }} # ex: 22
        remote_user: ${{ secrets.REMOTE_USER }} # ex: ubuntu
        remote_key: ${{ secrets.REMOTE_PRIVATE_KEY }}
 ```
 See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
 **Note:** Only use this if necessary. It's recommended to upgrade your remote OpenSSH server instead.
 --
 ## Advanced Rsync switches/flags/options
 For advanced rsync configuration options and switches, refer to the [rsync manual](https://linux.die.net/man/1/rsync).
 ---
 ## Troubleshooting
 ### SSH Permission Denied Errors
 If you encounter "Permission denied (publickey,password)" errors, here are the most common solutions:
 #### 1. SSH Key Setup
 Ensure your SSH key pair is correctly generated and configured:
 ```bash
 # Generate a new SSH key pair (recommended: Ed25519 or RSA 4096-bit)
 ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
 # OR for RSA:
 ssh-keygen -t rsa -b 4096 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
 ```
 **Important Steps:**
 - Add the **public key** (`.pub` file) to your server's `~/.ssh/authorized_keys`
 - Add the **private key** (without `.pub` extension) to GitHub Secrets as `REMOTE_PRIVATE_KEY`
 - Ensure correct file permissions on your server:
  ```bash
  chmod 700 ~/.ssh
  chmod 600 ~/.ssh/authorized_keys
  ```
 For detailed information on creating and managing SSH keys, see [GitHub's SSH Key Guide](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent).
 #### 2. ``remote_path`` permissions
 Make sure the ``remote_user`` has write access to ``remote_path``.
 See: https://github.com/Burnett01/rsync-deployments/issues/81#issuecomment-3308152891
 #### 3. Firewall / GitHub Actions IP Restrictions
 If your remote server has firewall restrictions:
 - **Option A:** Whitelist [GitHub Actions IP ranges](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#ip-addresses) (Azure-based)
 - **Option B:** Use self-hosted runners on your server (recommended for strict firewall environments)
 ### Excluding files/folders (eg .git) 
 By default, rsync copies dot files and folder if present at ``path:``. To exclude them, you can use the ``--exclude`` switch:
 ```yml
 switches: -avzr --delete --exclude='.git/'
 ```
 Other common exclusions:
 ```yml
 switches: -avzr --delete --exclude='.git/' --exclude='node_modules/' --exclude='.env'
 ```
 More advanced examples:
 - https://github.com/Burnett01/rsync-deployments/issues/5#issuecomment-667589874
 - https://github.com/Burnett01/rsync-deployments/issues/16
 - https://github.com/Burnett01/rsync-deployments/issues/71
 - https://github.com/Burnett01/rsync-deployments/issues/52
 ### Missing rsync on Remote Host
 If the action fails with "rsync: command not found" or similar errors, rsync is not installed on your remote server. Install it using your system's package manager:
 **Ubuntu/Debian:**
 ```bash
 sudo apt-get update && sudo apt-get install rsync
 ```
 **CentOS/RHEL/Rocky/AlmaLinux:**
 ```bash
 sudo yum install rsync
 # OR on newer versions:
 sudo dnf install rsync
 ```
 **Alpine Linux:**
 ```bash
 sudo apk add rsync
 ```
 ---
 ## Versions
 ## Version 8.0.0 (EOL due to regression -> fixed via 8.0.1 & 8.0.2)
 Check here: 
 - https://github.com/Burnett01/rsync-deployments/tree/8.0.0  (alpine 3.23.0)
 ## Version 7.1.0
 Check here: 
 - https://github.com/Burnett01/rsync-deployments/tree/7.1.0  (alpine 3.22.1)
 ## Version 7.0.2 (DEPRECATED)
 Check here: 
 - https://github.com/Burnett01/rsync-deployments/tree/7.0.2  (alpine 3.22.1)
 ---
 ## Version 7.0.0 & 7.0.1 (EOL)
 Check here: 
 - https://github.com/Burnett01/rsync-deployments/tree/7.0.0  (alpine 3.19.1)
 - https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.22.1)
 ---
 ## Version 6.0 (EOL)
 Check here: 
 - https://github.com/Burnett01/rsync-deployments/tree/6.0  (alpine 3.17.2)
 ---
 ## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
 Check here: 
@ -332,10 +136,10 @@ Check here:
 - https://github.com/Burnett01/rsync-deployments/tree/5.2  (alpine 3.15.0)
 - https://github.com/Burnett01/rsync-deployments/tree/5.2.1  (alpine 3.16.1)
 - https://github.com/Burnett01/rsync-deployments/tree/5.2.2  (alpine 3.17.2)
-
+- 
 ---
-## Version 4.0 & 4.1 (EOL)
+## Version 4.0 & 4.1
 Check here: 
@ -372,33 +176,36 @@ Please note that version 1.0 has reached end of life state.
 ## Acknowledgements
 + This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
-+ docker-rsync [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
+ Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
 ---
-## Media & Pingback
+## Media
 This action was featured in multiple blogs across the globe:
-> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
+- https://leobrack.co.uk/blog/2020-02-15-automatically-push-changes-to-your-live-site-with-github-actions
- https://hosting.xyz/wiki/hosting/other/github-actions/
+- https://blog.maniak.co/ci-cd-for-wordpress/
 - https://www.alexander-palm.de/2025/07/22/sichere-rsync-deployments-mit-github-actions-und-rrsync/
 - https://lab.uberspace.de/howto_automatic-deployment/
 - https://blog.devops.dev/setting-up-an-ubuntu-instance-for-nodejs-apps-in-ovh-cloud-using-nginx-pm2-github-actions-7618c768d081
 - https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
 - https://www.vektor-inc.co.jp/post/github-actions-deploy/
 - https://ews.ink/tech/blog-deploy-2/
 - https://webpick.info/automatiser-avec-github-actions/
 - https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
 - https://mikael.koutero.me/posts/hugo-github-actions-deploy-rsync/
 - https://cdmana.com/2021/02/20210208122400688I.html
 - https://jishuin.proginn.com/p/763bfbd38928
 - https://cloud.tencent.com/developer/article/1786522
 - http://www.ningco.cn/github_action_deploy_blog/
 - https://qdmana.com/2021/01/20210127094413405u.html
--- a/SECURITY.md
+++ b/SECURITY.md
@ -1,32 +1,17 @@
 # Security Policy
 The Docker image and code quality are regularly checked for vulnerabilities and CVEs by Snyk and CodeQL.
 ## Supported Versions
 The following versions are currently being supported with security updates:
-| Version | Supported          | Rsync version          | Alpine version          | Support Until  |
+| Version | Supported          |
-| ------- | ------------------ | ------------------ | ------------------ | ------------------ | 
+| ------- | ------------------ |
-| (``v8``) 8.0.2  | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 | LTS (2026-*) |
+| 5.x   | :white_check_mark: |
-| 8.0.1  | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 | Apr, 1st 2026 |
+| 4.1   | :white_check_mark: |
-| 8.0.0  | :x: EOL (due to regression #90) | >= 3.4.1-r1 | 3.23.0 | † Dec, 6th 2025 |
+| 4.0   | :white_check_mark: |
-| 7.1.0  | :warning: DEPRECATED | >= 3.4.1-r0 | 3.22.1 | June, 1st 2026 ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) |
+| 3.0   | :x: |
-| 7.0.2   | :warning: DEPRECATED | >= 3.4.0-r0 | 3.22.1 | June, 1st 2026 ([deprecation notice](https://github.com/Burnett01/rsync-deployments/discussions/96)) |
+| 2.0   | :x:                |
-| 7.0.1   | :x: EOL | < 3.4.0 | 3.22.1 | † Dec, 6th 2025 |
+| 1.0   | :x:                |
 | 7.0.0   | :x: EOL | < 3.4.0| 3.19.1 | † Dec, 6th 2025 |
 | 6.x   | :x: EOL |< 3.4.0| 3.17.2 | † 2024 |
 | 5.x   | :x: EOL |< 3.4.0| 3.11 - 3.14.1 - 3.15 - 3.16 - 3.17.2 | † 2024 |
 | 4.x   | :x: EOL |< 3.4.0| 3.11 |  † |
 | 3.0   | :x: EOL |< 3.4.0| N/A | † |
 | 2.0   | :x: EOL               |< 3.4.0| Ubuntu | † |
 | 1.0   | :x: EOL               |< 3.4.0| Ubuntu | † |
 ### Terminology
 EOL = End of life (no support/no updates)
 DEPRECATED = Close to EOL (support/no updates)
 ## Reporting a Vulnerability
--- a/action.yml
+++ b/action.yml
@ -9,14 +9,6 @@ inputs:
    description: 'The remote shell argument'
    required: false
    default: ''
  legacy_allow_rsa_hostkeys:
    description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
    required: false
    default: 'false'
  strict_hostkeys_checking:
    description: 'Controls strict host keys checking'
    required: false
    default: 'false'
  path:
    description: 'The local path'
    required: false
@ -41,10 +33,6 @@ inputs:
    description: 'The remote key passphrase'
    required: false
    default: ''
  debug:
    description: 'Debug the action'
    required: false
    default: 'false'
 runs:
  using: 'docker'
  image: 'Dockerfile'
--- a/docker-rsync/README.md
+++ b/docker-rsync/README.md
@ -1,40 +0,0 @@
 # Scripts
 Shell-scripts to help with managing SSH agents and known hosts files.
 ### SSH Management
 #### ssh-init
 This command create the ``$HOME/.ssh`` folder with default permissions ``700``.
 ### SSH-Agent Management
 #### agent-start
 This command starts the SSH agent, if it isn't already started (SSH_AGENT_PID set or ssh agent ID file found).
 It takes one optional argument, for the name of the agent to be started. Defaults to "default".
 This program needs to be source'd to work correctly.
 `source agent-start "default"`
 #### agent-stop
 This command stops the SSH agent, if it is started (SSH_AGENT_PID set or ssh agent ID file found).
 It takes one optional argument, for the name of the agent to be stopped. Defaults to "default".
 `agent-stop "my-agent-name"`
 #### agent-add
 This command adds a key to the currently running SSH agent. The key is taken from stdin, and the agent used is that in SSH_AGENT_PID.
 #### agent-askpass
 This command is called by ssh-add when the [SSH_ASKPASS](https://man.openbsd.org/ssh-add.1#ENVIRONMENT) variable is set active. The command returns the SSH_PASS to [ssh-askpass(1)](https://man.openbsd.org/ssh-askpass.1).
 This command is ignored by ssh-add if the key does not require a passphrase.
 ### known_hosts management
 #### hosts-init
 This command creates the known_hosts file (``$HOME/.ssh/known_hosts``) with default permission ``600``.
 #### hosts-add
 This command adds an entry to the known hosts file, and ensures its permissions are correct. It takes one argument, which is the new key to add.
 #### hosts-clear
 This command truncates the known_hosts file.
--- a/docker-rsync/agent-add
+++ b/docker-rsync/agent-add
@ -1,6 +0,0 @@
 #!/bin/sh
 set -eu
 source agent-start "${1:-default}"
 cat - | tr -d '\r' | DISPLAY=1 SSH_ASKPASS=agent-askpass ssh-add - >/dev/null
--- a/docker-rsync/agent-askpass
+++ b/docker-rsync/agent-askpass
@ -1,5 +0,0 @@
 #!/bin/sh
 set -eu
 echo "$SSH_PASS"
--- a/docker-rsync/agent-start
+++ b/docker-rsync/agent-start
@ -1,21 +0,0 @@
 #!/bin/sh
 set -eu
 FOLDER=${1:-default}
 STORE_PATH="/tmp/ssh-agent/$FOLDER"
 mkdir -p "$STORE_PATH"
 if [ -z "${SSH_AGENT_PID:-}" ]; then
 	if [ -f "$STORE_PATH/id" ]; then
 		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
 		export SSH_AGENT_PID
 		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
 		export SSH_AUTH_SOCK
 	else
 		eval "$(ssh-agent)" > /dev/null
 		echo "$SSH_AGENT_PID" > "$STORE_PATH"/id
 		echo "$SSH_AUTH_SOCK" > "$STORE_PATH"/sock
 	fi
 fi
--- a/docker-rsync/agent-stop
+++ b/docker-rsync/agent-stop
@ -1,37 +0,0 @@
 #!/bin/sh
 set -eu
 if [ ! -z "$SSH_AGENT_PID" ]; then
 	# Here, the environment is set already, just kill the script.
 	eval $(ssh-agent -k) >/dev/null
 	exit $?
 else
 	# The env isn't set, construct the file path.
 	FOLDER=${1:-default}
 	STORE_PATH="/tmp/ssh-agent/$FOLDER"
 	if [ ! -d "$STORE_PATH" ]; then
 		echo "Store Path $STORE_PATH doesn't exist!" >&2
 		exit 1
 	fi
 	# And check our files exist.
 	if [ -f "$STORE_PATH/id" ]; then
 		# Grab our PID and socket.
 		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
 		export SSH_AGENT_PID
 		rm "$STORE_PATH/id"
 		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
 		export SSH_AUTH_SOCK
 		rm "$STORE_PATH/sock"
 		rmdir "$STORE_PATH"
 		eval $(ssh-agent -k) >/dev/null
 		exit $?
 	else
 		echo "SSH_AGENT_PID not set, $STORE_PATH/id doesn't exist!" >&2
 		exit 1
 	fi
 fi
--- a/docker-rsync/hosts-add
+++ b/docker-rsync/hosts-add
@ -1,5 +0,0 @@
 #!/bin/sh
 set -eu
 echo "$@" >> $HOME/.ssh/known_hosts
--- a/docker-rsync/hosts-clear
+++ b/docker-rsync/hosts-clear
@ -1,5 +0,0 @@
 #!/bin/sh
 set -eu
 truncate -s 0 $HOME/.ssh/known_hosts
--- a/docker-rsync/hosts-init
+++ b/docker-rsync/hosts-init
@ -1,9 +0,0 @@
 #!/bin/sh
 set -eu
 if [ ! -f "$HOME/.ssh/known_hosts" ]; then
    touch $HOME/.ssh/known_hosts
 fi
 chmod 600 $HOME/.ssh/known_hosts
--- a/docker-rsync/ssh-init
+++ b/docker-rsync/ssh-init
@ -1,7 +0,0 @@
 #!/bin/sh
 set -eu
 if [ ! -d "$HOME/.ssh" ]; then
    mkdir -m 700 $HOME/.ssh
 fi
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -1,55 +1,17 @@
 #!/bin/sh
 set -eu
 if [ "${INPUT_DEBUG:-false}" = "true" ]; then
    set -x
 fi
 if [ -z "$(echo "$INPUT_REMOTE_PATH" | awk '{$1=$1};1')" ]; then
    echo "The remote_path can not be empty. see: github.com/Burnett01/rsync-deployments/issues/44"
    exit 1
 fi
 # Initialize SSH and known hosts.
 source ssh-init
 source hosts-init
 # Start the SSH agent and load key.
 source agent-start "$GITHUB_ACTION"
 echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add
 # Add strict errors.
 set -eu
 # Variables.
-LEGACY_RSA_HOSTKEYS=""
+SWITCHES="$INPUT_SWITCHES"
-if [ "${INPUT_LEGACY_ALLOW_RSA_HOSTKEYS:-false}" = "true" ]; then
+RSH="ssh -o StrictHostKeyChecking=no -p $INPUT_REMOTE_PORT $INPUT_RSH"
    LEGACY_RSA_HOSTKEYS="-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa"
 fi
 STRICT_HOSTKEYS_CHECKING="-o StrictHostKeyChecking=no"
 if [ "${INPUT_STRICT_HOSTKEYS_CHECKING:-false}" = "true" ]; then
    STRICT_HOSTKEYS_CHECKING="-o UserKnownHostsFile=$HOME/.ssh/known_hosts -o StrictHostKeyChecking=yes"
    key="$(ssh-keyscan -p "$INPUT_REMOTE_PORT" "$INPUT_REMOTE_HOST" 2>/dev/null | sed '/^#/d')" || key=""
    if [ -n "$key" ]; then
        # fingerprint verification
        echo "$key" | ssh-keygen -lf -
        # add to known hosts
        echo "$key" | while IFS= read -r line; do hosts-add "$line"; done
    else
        echo "Warning: failed to fetch host key for $INPUT_REMOTE_HOST" >&2
        exit 1
    fi
 fi
 RSH="ssh $STRICT_HOSTKEYS_CHECKING $LEGACY_RSA_HOSTKEYS -p $INPUT_REMOTE_PORT $INPUT_RSH"
 LOCAL_PATH="$GITHUB_WORKSPACE/$INPUT_PATH"
 DSN="$INPUT_REMOTE_USER@$INPUT_REMOTE_HOST"
 # Deploy.
-sh -c "rsync $INPUT_SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
+sh -c "rsync $SWITCHES -e '$RSH' $LOCAL_PATH $DSN:$INPUT_REMOTE_PATH"
 # Clean up.
 source agent-stop "$GITHUB_ACTION"
 source hosts-clear
 exit 0
--- a/test/entrypoint.bats
+++ b/test/entrypoint.bats
@ -1,128 +0,0 @@
 #!/usr/bin/env bats
 setup() {
    # Create dummy binaries for sourcing
    echo 'echo "source"' > source
    echo 'echo "agent started"' > agent-start
    echo 'echo "key added"' > agent-add
    chmod +x source agent-start agent-add
    # Create dummy rsync binary to capture its arguments
    echo 'echo "rsync $@"' > rsync
    chmod +x rsync
    PATH="$PWD:$PATH"
 }
 teardown() {
    rm -f source agent-start agent-add rsync ssh-keyscan hosts-add
 }
@test "fails if INPUT_REMOTE_PATH is empty" {
    export INPUT_REMOTE_PATH=" "
    run ./entrypoint.sh
    [ "$status" -eq 1 ]
    [[ "${output}" == *"can not be empty"* ]]
 }
@test "includes legacy RSA switches when allowed" {
    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="true"
    export INPUT_REMOTE_PATH="remote/"
    export INPUT_REMOTE_KEY="dummy"
    export INPUT_REMOTE_KEY_PASS="dummy"
    export GITHUB_ACTION="dummy"
    export INPUT_SWITCHES="-avz"
    export INPUT_REMOTE_PORT="22"
    export INPUT_RSH=""
    export INPUT_PATH=""
    export INPUT_REMOTE_USER="user"
    export INPUT_REMOTE_HOST="localhost.local"
    export GITHUB_WORKSPACE="/tmp"
    export DSN="user@localhost.local"
    export LOCAL_PATH="/tmp/"
    run ./entrypoint.sh
    [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no -o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedKeyTypes=+ssh-rsa -p 22  /tmp/ user@localhost.local:remote/"* ]]
 }
@test "does not include legacy RSA switches when not allowed" {
    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
    export INPUT_REMOTE_PATH="remote/"
    export INPUT_REMOTE_KEY="dummy"
    export INPUT_REMOTE_KEY_PASS="dummy"
    export GITHUB_ACTION="dummy"
    export INPUT_SWITCHES="-avz"
    export INPUT_REMOTE_PORT="22"
    export INPUT_RSH=""
    export INPUT_PATH=""
    export INPUT_REMOTE_USER="user"
    export INPUT_REMOTE_HOST="localhost.local"
    export GITHUB_WORKSPACE="/tmp"
    export DSN="user@localhost.local"
    export LOCAL_PATH="/tmp/"
    run ./entrypoint.sh
    [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no  -p 22  /tmp/ user@localhost.local:remote/"* ]]
 }
@test "includes STRICT_HOSTKEYS_CHECKING switches when allowed" {
    # Set a fake HOME dir
    local -r HOME="/tmp"
    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
    export INPUT_STRICT_HOSTKEYS_CHECKING="true"
    export INPUT_REMOTE_PATH="remote/"
    export INPUT_REMOTE_KEY="dummy"
    export INPUT_REMOTE_KEY_PASS="dummy"
    export GITHUB_ACTION="dummy"
    export INPUT_SWITCHES="-avz"
    export INPUT_REMOTE_PORT="22"
    export INPUT_RSH=""
    export INPUT_PATH=""
    export INPUT_REMOTE_USER="user"
    export INPUT_REMOTE_HOST="localhost.local"
    export GITHUB_WORKSPACE="/tmp"
    export DSN="user@localhost.local"
    export LOCAL_PATH="/tmp/"
    # Generate a mock key pair to test ssh-keyscan (entrypoint.sh:32)
    rm -f "$HOME/mockKeyPair" "$HOME/mockKeyPair.pub" \
    && ssh-keygen -t ed25519 -f "$HOME/mockKeyPair" -N '' -q -C '' \
    && mockPublicKey=$(< "$HOME/mockKeyPair.pub")
    # Create dummy ssh-keyscan binary to return $mockPublicKey
    echo "echo 'localhost.local $mockPublicKey #Mock 1'" > ssh-keyscan
    chmod +x ssh-keyscan
    # Create dummy hosts-add binary to capture its arguments
    echo 'echo "hosts-add $@"' > hosts-add
    chmod +x hosts-add
    run ./entrypoint.sh
    [[ "${output}" == *"hosts-add localhost.local ssh-ed25519"* ]]
    [[ "${output}" == *"rsync -avz -e ssh -o UserKnownHostsFile=/tmp/.ssh/known_hosts -o StrictHostKeyChecking=yes  -p 22  /tmp/ user@localhost.local:remote/"* ]]
 }
@test "does not includes STRICT_HOSTKEYS_CHECKING switches when not allowed" {
    export INPUT_LEGACY_ALLOW_RSA_HOSTKEYS="false"
    export INPUT_STRICT_HOSTKEYS_CHECKING="false"
    export INPUT_REMOTE_PATH="remote/"
    export INPUT_REMOTE_KEY="dummy"
    export INPUT_REMOTE_KEY_PASS="dummy"
    export GITHUB_ACTION="dummy"
    export INPUT_SWITCHES="-avz"
    export INPUT_REMOTE_PORT="22"
    export INPUT_RSH=""
    export INPUT_PATH=""
    export INPUT_REMOTE_USER="user"
    export INPUT_REMOTE_HOST="localhost.local"
    export GITHUB_WORKSPACE="/tmp"
    export DSN="user@localhost.local"
    export LOCAL_PATH="/tmp/"
    run ./entrypoint.sh
    [[ "${output}" == *"rsync -avz -e ssh -o StrictHostKeyChecking=no  -p 22  /tmp/ user@localhost.local:remote/"* ]]
 }