# rsync deployments [![CI - Validating, Linting, Testing](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml) [![Snyk Docker Vulnerability Scan](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml) [![CodeQL](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql) [![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates) This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`. The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.22.1 (no cache) which results in fast deployments. Alpine version: [3.22.1](https://alpinelinux.org/posts/Alpine-3.19.8-3.20.7-3.21.4-3.22.1-released.html) Rsync version: [3.4.1-r0](https://download.samba.org/pub/rsync/NEWS#3.4.1) --- ## Inputs - `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete` - `rsh` - Remote shell commands - `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false") - `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it - `remote_path`* - The deployment target path - `remote_host`* - The remote host - `remote_port` - The remote port. Defaults to 22 - `remote_user`* - The remote user - `remote_key`* - The remote ssh key - `remote_key_pass` - The remote ssh key passphrase (if any) ``* = Required`` ## Required secret(s) This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the `remote_key` input. > Always use secrets when dealing with sensitive inputs! For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples. ### Recommended SSH Key Generation **For new deployments, use Ed25519 keys (recommended):** ```bash ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N "" ``` **If you must use RSA keys:** ```bash ssh-keygen -t rsa -b 4096 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N "" ``` *Note: RSA keys require `legacy_allow_rsa_hostkeys: "true"` with modern OpenSSH servers (8.8+)* ## Current Version: 7.1.0 ## Example usage Simple: ```yml name: DEPLOY on: push: branches: - master jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: rsync deployments uses: burnett01/rsync-deployments@7.1.0 with: switches: -avzr --delete path: src/ remote_path: /var/www/html/ remote_host: example.com remote_user: debian remote_key: ${{ secrets.DEPLOY_KEY }} ``` Advanced: ```yml jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: rsync deployments uses: burnett01/rsync-deployments@7.1.0 with: switches: -avzr --delete --exclude="" --include="" --filter="" path: src/ remote_path: /var/www/html/ remote_host: example.com remote_port: 5555 remote_user: debian remote_key: ${{ secrets.DEPLOY_KEY }} ``` For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs. ```yml jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: rsync deployments uses: burnett01/rsync-deployments@7.1.0 with: switches: -avzr --delete path: src/ remote_path: ${{ secrets.DEPLOY_PATH }} remote_host: ${{ secrets.DEPLOY_HOST }} remote_port: ${{ secrets.DEPLOY_PORT }} remote_user: ${{ secrets.DEPLOY_USER }} remote_key: ${{ secrets.DEPLOY_KEY }} ``` If your private key is passphrase protected you should use: ```yml jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: rsync deployments uses: burnett01/rsync-deployments@7.1.0 with: switches: -avzr --delete path: src/ remote_path: ${{ secrets.DEPLOY_PATH }} remote_host: ${{ secrets.DEPLOY_HOST }} remote_port: ${{ secrets.DEPLOY_PORT }} remote_user: ${{ secrets.DEPLOY_USER }} remote_key: ${{ secrets.DEPLOY_KEY }} remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }} ``` --- #### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+ If you're using RSA SSH keys (generated with `ssh-keygen -t rsa`) and your remote server runs OpenSSH 8.8+, you need to enable legacy RSA hostkey support. This is required because OpenSSH 8.8+ deprecated RSA hostkeys by default for security reasons. **When you need this:** RSA keys + OpenSSH 8.8+ server = add `legacy_allow_rsa_hostkeys: "true"` ```yml jobs: deploy: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: rsync deployments uses: burnett01/rsync-deployments@7.1.0 with: switches: -avzr --delete legacy_allow_rsa_hostkeys: "true" # Required for RSA keys with OpenSSH 8.8+ path: src/ remote_path: ${{ secrets.DEPLOY_PATH }} remote_host: ${{ secrets.DEPLOY_HOST }} remote_port: ${{ secrets.DEPLOY_PORT }} remote_user: ${{ secrets.DEPLOY_USER }} remote_key: ${{ secrets.DEPLOY_KEY }} # Your RSA private key ``` See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information. --- ## Troubleshooting Common Issues ### "Permission denied" SSH Errors If you encounter errors like: ``` Identity added: (stdin) (deploy@***) Warning: Permanently added '***' (ED25519) to the list of known hosts. Permission denied, please try again. Permission denied, please try again. ***@***: Permission denied (publickey,password). rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(228) [sender=3.2.3] ``` **Most common cause:** You're using RSA keys with an OpenSSH 8.8+ server that has deprecated RSA hostkeys by default. **Solution:** Add `legacy_allow_rsa_hostkeys: "true"` to your workflow: ```yml - name: Deploy files to server uses: burnett01/rsync-deployments@7.1.0 with: switches: -avz --delete legacy_allow_rsa_hostkeys: "true" # Add this line path: ./ remote_path: ${{ secrets.DEPLOY_PATH }} remote_host: ${{ secrets.DEPLOY_HOST }} remote_user: ${{ secrets.DEPLOY_USER }} remote_key: ${{ secrets.DEPLOY_KEY }} ``` **Alternative solution:** Generate Ed25519 keys instead of RSA: ```bash ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N "" ``` ### When do I need `legacy_allow_rsa_hostkeys: "true"`? You need this setting when **both** conditions are true: 1. You're using RSA SSH keys (generated with `-t rsa`) 2. Your destination server runs OpenSSH 8.8+ (most modern servers) You can check your server's OpenSSH version: ```bash ssh user@yourserver 'ssh -V' ``` ### Frequently Asked Questions **Q: Do I need to exclude ".git" folder from deployment?** A: No, rsync by default follows your `.path` setting. If you set `path: ./`, it syncs the entire directory. If you want to exclude `.git`, use: ```yml switches: -avz --delete --exclude='.git' ``` **Q: Do I need to allowlist GitHub Actions IP addresses in my firewall?** A: Yes, if you have a restrictive firewall. GitHub publishes their IP ranges at: - API endpoint: https://api.github.com/meta (look for `actions` IPs) - Or allowlist the entire GitHub IP ranges for `actions` and `hooks` However, these IP ranges change frequently. Consider: 1. Using a jump host/bastion with a static IP 2. Setting up a VPN connection 3. Using GitHub's self-hosted runners in your network **Q: My key has a passphrase, how do I handle it?** A: Use the `remote_key_pass` input: ```yml remote_key: ${{ secrets.DEPLOY_KEY }} remote_key_pass: ${{ secrets.DEPLOY_KEY_PASSPHRASE }} ``` **Q: Should I use RSA or Ed25519 keys?** A: Ed25519 is recommended for new deployments as it's more secure and doesn't require legacy compatibility flags. However, RSA keys work fine with the `legacy_allow_rsa_hostkeys: "true"` setting. --- ## Version 7.0.2 Check here: - https://github.com/Burnett01/rsync-deployments/tree/7.0.2 (alpine 3.19.1) --- ## Version 7.0.0 & 7.0.1 (DEPRECATED) Check here: - https://github.com/Burnett01/rsync-deployments/tree/7.0.0 (alpine 3.19.1) - https://github.com/Burnett01/rsync-deployments/tree/7.0.1 (alpine 3.19.1) --- ## Version 6.0 (EOL) Check here: - https://github.com/Burnett01/rsync-deployments/tree/6.0 (alpine 3.17.2) --- ## Version 5.0, 5.1 & 5.2 & 5.x (EOL) Check here: - https://github.com/Burnett01/rsync-deployments/tree/5.0 (alpine 3.11.x) - https://github.com/Burnett01/rsync-deployments/tree/5.1 (alpine 3.14.1) - https://github.com/Burnett01/rsync-deployments/tree/5.2 (alpine 3.15.0) - https://github.com/Burnett01/rsync-deployments/tree/5.2.1 (alpine 3.16.1) - https://github.com/Burnett01/rsync-deployments/tree/5.2.2 (alpine 3.17.2) --- ## Version 4.0 & 4.1 (EOL) Check here: - https://github.com/Burnett01/rsync-deployments/tree/4.0 - https://github.com/Burnett01/rsync-deployments/tree/4.1 Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image. --- ## Version 3.0 (EOL) Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0 Version 3.0 uses the ``alpine:latest`` base-image directly.
Consider upgrading to 4.0 that uses a docker-image ``drinternet/rsync:1.0.1`` that is
based on ``alpine:latest``and heavily optimized for rsync. ## Version 2.0 (EOL) Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0 Version 2.0 uses a larger base-image (``ubuntu:latest``).
Consider upgrading to 3.0 for even faster deployments. ## Version 1.0 (EOL) Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0 Please note that version 1.0 has reached end of life state. --- ## Acknowledgements + This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments) + Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker) --- ## Media & Pingback This action was featured in multiple blogs across the globe: > Disclaimer: The author & co-authors are not responsible for the content of the site-links below. - https://hosting.xyz/wiki/hosting/other/github-actions/ - https://www.alexander-palm.de/2025/07/22/sichere-rsync-deployments-mit-github-actions-und-rrsync/ - https://lab.uberspace.de/howto_automatic-deployment/ - https://blog.devops.dev/setting-up-an-ubuntu-instance-for-nodejs-apps-in-ovh-cloud-using-nginx-pm2-github-actions-7618c768d081 - https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/ - https://www.vektor-inc.co.jp/post/github-actions-deploy/ - https://webpick.info/automatiser-avec-github-actions/ - https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/ - https://jishuin.proginn.com/p/763bfbd38928 - https://cloud.tencent.com/developer/article/1786522