Hostux/github.com_burnett01_rsync-deployments
1
0
Fork 1
mirror of https://github.com/Burnett01/rsync-deployments.git synced 2025-09-20 00:00:38 +02:00
Code Issues Projects Releases Packages Wiki Activity
Mirror of https://github.com/Burnett01/rsync-deployments
133 commits 8 branches 15 tags 336 KiB
Shell 87.7%
Dockerfile 12.3%
Find a file
copilot-swe-agent[bot] 6ef11e4b95 Add comprehensive troubleshooting guide for SSH permission denied issues 
Co-authored-by: Burnett01 <1208707+Burnett01@users.noreply.github.com>
2025-09-18 11:25:45 +00:00
.github Rename CI workflow file to ci-validating-linting-testing.yml 2025-09-01 12:34:44 +02:00
test Add comprehensive troubleshooting guide for SSH permission denied issues 2025-09-18 11:25:45 +00:00
action.yml feat: configuarable legacy RSA hostkeys support 2024-03-06 12:20:39 +01:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2020-06-27 15:55:31 +02:00
CONTRIBUTING.md Create CONTRIBUTING.md 2020-06-27 15:55:57 +02:00
Dockerfile Release/7.1.0 (#72) 2025-08-29 20:57:37 +02:00
entrypoint.sh feat: Make usage of legacy rsa hostkeys conditional 2024-03-06 12:16:35 +01:00
LICENSE Release/7.1.0 (#72) 2025-08-29 20:57:37 +02:00
README.md Add comprehensive troubleshooting guide for SSH permission denied issues 2025-09-18 11:25:45 +00:00
SECURITY.md Release/7.1.0 (#72) 2025-08-29 20:57:37 +02:00

README.md

rsync deployments

CI - Validating, Linting, Testing Snyk Docker Vulnerability Scan CodeQL Dependabot Updates

This GitHub Action (amd64) deploys files in GITHUB_WORKSPACE to a remote folder via rsync over ssh.

Use this action in a CD workflow which leaves deployable code in GITHUB_WORKSPACE.

The base-image drinternet/rsync of this action is very small and is based on Alpine 3.22.1 (no cache) which results in fast deployments.

Alpine version: 3.22.1 Rsync version: 3.4.1-r0

Inputs

  • switches* - The first is for any initial/required rsync flags, eg: -avzr --delete

  • rsh - Remote shell commands

  • legacy_allow_rsa_hostkeys - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")

  • path - The source path. Defaults to GITHUB_WORKSPACE and is relative to it

  • remote_path* - The deployment target path

  • remote_host* - The remote host

  • remote_port - The remote port. Defaults to 22

  • remote_user* - The remote user

  • remote_key* - The remote ssh key

  • remote_key_pass - The remote ssh key passphrase (if any)

* = Required

Required secret(s)

This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the remote_key input.

Always use secrets when dealing with sensitive inputs!

For simplicity, we are using DEPLOY_* as the secret variables throughout the examples.

Recommended SSH Key Generation

For new deployments, use Ed25519 keys (recommended):

ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""

If you must use RSA keys:

ssh-keygen -t rsa -b 4096 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""

Note: RSA keys require legacy_allow_rsa_hostkeys: "true" with modern OpenSSH servers (8.8+)

Current Version: 7.1.0

Example usage

Simple:

name: DEPLOY
on:
  push:
    branches:
    - master

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.1.0
      with:
        switches: -avzr --delete
        path: src/
        remote_path: /var/www/html/
        remote_host: example.com
        remote_user: debian
        remote_key: ${{ secrets.DEPLOY_KEY }}

Advanced:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.1.0
      with:
        switches: -avzr --delete --exclude="" --include="" --filter=""
        path: src/
        remote_path: /var/www/html/
        remote_host: example.com
        remote_port: 5555
        remote_user: debian
        remote_key: ${{ secrets.DEPLOY_KEY }}

For better security, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.1.0
      with:
        switches: -avzr --delete
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}

If your private key is passphrase protected you should use:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.1.0
      with:
        switches: -avzr --delete
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}
        remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}

Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+

If you're using RSA SSH keys (generated with ssh-keygen -t rsa) and your remote server runs OpenSSH 8.8+, you need to enable legacy RSA hostkey support. This is required because OpenSSH 8.8+ deprecated RSA hostkeys by default for security reasons.

When you need this: RSA keys + OpenSSH 8.8+ server = add legacy_allow_rsa_hostkeys: "true"

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.1.0
      with:
        switches: -avzr --delete
        legacy_allow_rsa_hostkeys: "true"  # Required for RSA keys with OpenSSH 8.8+
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}  # Your RSA private key

See #49 and #24 for more information.

Troubleshooting Common Issues

"Permission denied" SSH Errors

If you encounter errors like:

Identity added: (stdin) (deploy@***)
Warning: Permanently added '***' (ED25519) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
***@***: Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(228) [sender=3.2.3]

Most common cause: You're using RSA keys with an OpenSSH 8.8+ server that has deprecated RSA hostkeys by default.

Solution: Add legacy_allow_rsa_hostkeys: "true" to your workflow:

- name: Deploy files to server
  uses: burnett01/rsync-deployments@7.1.0
  with:
    switches: -avz --delete
    legacy_allow_rsa_hostkeys: "true"  # Add this line
    path: ./
    remote_path: ${{ secrets.DEPLOY_PATH }}
    remote_host: ${{ secrets.DEPLOY_HOST }}
    remote_user: ${{ secrets.DEPLOY_USER }}
    remote_key: ${{ secrets.DEPLOY_KEY }}

Alternative solution: Generate Ed25519 keys instead of RSA:

ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""

When do I need legacy_allow_rsa_hostkeys: "true"?

You need this setting when both conditions are true:

  1. You're using RSA SSH keys (generated with -t rsa)
  2. Your destination server runs OpenSSH 8.8+ (most modern servers)

You can check your server's OpenSSH version:

ssh user@yourserver 'ssh -V'

Frequently Asked Questions

Q: Do I need to exclude ".git" folder from deployment? A: No, rsync by default follows your .path setting. If you set path: ./, it syncs the entire directory. If you want to exclude .git, use:

switches: -avz --delete --exclude='.git'

Q: Do I need to allowlist GitHub Actions IP addresses in my firewall? A: Yes, if you have a restrictive firewall. GitHub publishes their IP ranges at:

However, these IP ranges change frequently. Consider:

  1. Using a jump host/bastion with a static IP
  2. Setting up a VPN connection
  3. Using GitHub's self-hosted runners in your network

Q: My key has a passphrase, how do I handle it? A: Use the remote_key_pass input:

remote_key: ${{ secrets.DEPLOY_KEY }}
remote_key_pass: ${{ secrets.DEPLOY_KEY_PASSPHRASE }}

Q: Should I use RSA or Ed25519 keys? A: Ed25519 is recommended for new deployments as it's more secure and doesn't require legacy compatibility flags. However, RSA keys work fine with the legacy_allow_rsa_hostkeys: "true" setting.

Version 7.0.2

Check here:

Version 7.0.0 & 7.0.1 (DEPRECATED)

Check here:

Version 6.0 (EOL)

Check here:

Version 5.0, 5.1 & 5.2 & 5.x (EOL)

Check here:

Version 4.0 & 4.1 (EOL)

Check here:

Version 4.0 & 4.1 use the drinternet/rsync:1.0.1 base-image.

Version 3.0 (EOL)

Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0

Version 3.0 uses the alpine:latest base-image directly.
Consider upgrading to 4.0 that uses a docker-image drinternet/rsync:1.0.1 that is
based on alpine:latestand heavily optimized for rsync.

Version 2.0 (EOL)

Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0

Version 2.0 uses a larger base-image (ubuntu:latest).
Consider upgrading to 3.0 for even faster deployments.

Version 1.0 (EOL)

Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0

Please note that version 1.0 has reached end of life state.

Acknowledgements

Media & Pingback

This action was featured in multiple blogs across the globe:

Disclaimer: The author & co-authors are not responsible for the content of the site-links below.