Hostux/github.com_burnett01_rsync-deployments
1
0
Fork 1
mirror of https://github.com/Burnett01/rsync-deployments.git synced 2025-09-20 08:10:38 +02:00
Code Issues Projects Releases Packages Wiki Activity
github.com_burnett01_rsync-.../README.md
copilot-swe-agent[bot] 6ef11e4b95 Add comprehensive troubleshooting guide for SSH permission denied issues 
Co-authored-by: Burnett01 <1208707+Burnett01@users.noreply.github.com>
2025-09-18 11:25:45 +00:00

367 lines
12 KiB
Markdown
Raw Blame History

# rsync deployments
[![CI - Validating, Linting, Testing](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/ci-validating-linting-testing.yml)
[![Snyk Docker Vulnerability Scan](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/snyk-docker-vulnerability-scan.yml)
[![CodeQL](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/github-code-scanning/codeql)
[![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates)
This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh.
Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.22.1 (no cache) which results in fast deployments.
Alpine version: [3.22.1](https://alpinelinux.org/posts/Alpine-3.19.8-3.20.7-3.21.4-3.22.1-released.html)
Rsync version: [3.4.1-r0](https://download.samba.org/pub/rsync/NEWS#3.4.1)
---
## Inputs
- `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete`
- `rsh` - Remote shell commands
- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
- `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
- `remote_path`* - The deployment target path
- `remote_host`* - The remote host
- `remote_port` - The remote port. Defaults to 22
- `remote_user`* - The remote user
- `remote_key`* - The remote ssh key
- `remote_key_pass` - The remote ssh key passphrase (if any)
``* = Required``
## Required secret(s)
This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the `remote_key` input.
> Always use secrets when dealing with sensitive inputs!
For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples.
### Recommended SSH Key Generation
**For new deployments, use Ed25519 keys (recommended):**
```bash
ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
```
**If you must use RSA keys:**
```bash
ssh-keygen -t rsa -b 4096 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
```
*Note: RSA keys require `legacy_allow_rsa_hostkeys: "true"` with modern OpenSSH servers (8.8+)*
## Current Version: 7.1.0
## Example usage
Simple:
```yml
name: DEPLOY
on:
push:
branches:
- master
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@7.1.0
with:
switches: -avzr --delete
path: src/
remote_path: /var/www/html/
remote_host: example.com
remote_user: debian
remote_key: ${{ secrets.DEPLOY_KEY }}
```
Advanced:
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@7.1.0
with:
switches: -avzr --delete --exclude="" --include="" --filter=""
path: src/
remote_path: /var/www/html/
remote_host: example.com
remote_port: 5555
remote_user: debian
remote_key: ${{ secrets.DEPLOY_KEY }}
```
For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@7.1.0
with:
switches: -avzr --delete
path: src/
remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
```
If your private key is passphrase protected you should use:
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@7.1.0
with:
switches: -avzr --delete
path: src/
remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}
```
---
#### Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+
If you're using RSA SSH keys (generated with `ssh-keygen -t rsa`) and your remote server runs OpenSSH 8.8+, you need to enable legacy RSA hostkey support. This is required because OpenSSH 8.8+ deprecated RSA hostkeys by default for security reasons.
**When you need this:** RSA keys + OpenSSH 8.8+ server = add `legacy_allow_rsa_hostkeys: "true"`
```yml
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: rsync deployments
uses: burnett01/rsync-deployments@7.1.0
with:
switches: -avzr --delete
legacy_allow_rsa_hostkeys: "true" # Required for RSA keys with OpenSSH 8.8+
path: src/
remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_port: ${{ secrets.DEPLOY_PORT }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }} # Your RSA private key
```
See [#49](https://github.com/Burnett01/rsync-deployments/issues/49) and [#24](https://github.com/Burnett01/rsync-deployments/issues/24) for more information.
---
## Troubleshooting Common Issues
### "Permission denied" SSH Errors
If you encounter errors like:
```
Identity added: (stdin) (deploy@***)
Warning: Permanently added '***' (ED25519) to the list of known hosts.
Permission denied, please try again.
Permission denied, please try again.
***@***: Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(228) [sender=3.2.3]
```
**Most common cause:** You're using RSA keys with an OpenSSH 8.8+ server that has deprecated RSA hostkeys by default.
**Solution:** Add `legacy_allow_rsa_hostkeys: "true"` to your workflow:
```yml
- name: Deploy files to server
uses: burnett01/rsync-deployments@7.1.0
with:
switches: -avz --delete
legacy_allow_rsa_hostkeys: "true" # Add this line
path: ./
remote_path: ${{ secrets.DEPLOY_PATH }}
remote_host: ${{ secrets.DEPLOY_HOST }}
remote_user: ${{ secrets.DEPLOY_USER }}
remote_key: ${{ secrets.DEPLOY_KEY }}
```
**Alternative solution:** Generate Ed25519 keys instead of RSA:
```bash
ssh-keygen -t ed25519 -C "deploy@yourproject" -f ~/.ssh/deploy_yourproject -N ""
```
### When do I need `legacy_allow_rsa_hostkeys: "true"`?
You need this setting when **both** conditions are true:
1. You're using RSA SSH keys (generated with `-t rsa`)
2. Your destination server runs OpenSSH 8.8+ (most modern servers)
You can check your server's OpenSSH version:
```bash
ssh user@yourserver 'ssh -V'
```
### Frequently Asked Questions
**Q: Do I need to exclude ".git" folder from deployment?**
A: No, rsync by default follows your `.path` setting. If you set `path: ./`, it syncs the entire directory. If you want to exclude `.git`, use:
```yml
switches: -avz --delete --exclude='.git'
```
**Q: Do I need to allowlist GitHub Actions IP addresses in my firewall?**
A: Yes, if you have a restrictive firewall. GitHub publishes their IP ranges at:
- API endpoint: https://api.github.com/meta (look for `actions` IPs)
- Or allowlist the entire GitHub IP ranges for `actions` and `hooks`
However, these IP ranges change frequently. Consider:
1. Using a jump host/bastion with a static IP
2. Setting up a VPN connection
3. Using GitHub's self-hosted runners in your network
**Q: My key has a passphrase, how do I handle it?**
A: Use the `remote_key_pass` input:
```yml
remote_key: ${{ secrets.DEPLOY_KEY }}
remote_key_pass: ${{ secrets.DEPLOY_KEY_PASSPHRASE }}
```
**Q: Should I use RSA or Ed25519 keys?**
A: Ed25519 is recommended for new deployments as it's more secure and doesn't require legacy compatibility flags. However, RSA keys work fine with the `legacy_allow_rsa_hostkeys: "true"` setting.
---
## Version 7.0.2
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/7.0.2 (alpine 3.19.1)
---
## Version 7.0.0 & 7.0.1 (DEPRECATED)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/7.0.0 (alpine 3.19.1)
- https://github.com/Burnett01/rsync-deployments/tree/7.0.1 (alpine 3.19.1)
---
## Version 6.0 (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/6.0 (alpine 3.17.2)
---
## Version 5.0, 5.1 & 5.2 & 5.x (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/5.0 (alpine 3.11.x)
- https://github.com/Burnett01/rsync-deployments/tree/5.1 (alpine 3.14.1)
- https://github.com/Burnett01/rsync-deployments/tree/5.2 (alpine 3.15.0)
- https://github.com/Burnett01/rsync-deployments/tree/5.2.1 (alpine 3.16.1)
- https://github.com/Burnett01/rsync-deployments/tree/5.2.2 (alpine 3.17.2)
---
## Version 4.0 & 4.1 (EOL)
Check here:
- https://github.com/Burnett01/rsync-deployments/tree/4.0
- https://github.com/Burnett01/rsync-deployments/tree/4.1
Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image.
---
## Version 3.0 (EOL)
Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0
Version 3.0 uses the ``alpine:latest`` base-image directly.<br>
Consider upgrading to 4.0 that uses a docker-image ``drinternet/rsync:1.0.1`` that is<br>
based on ``alpine:latest``and heavily optimized for rsync.
## Version 2.0 (EOL)
Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0
Version 2.0 uses a larger base-image (``ubuntu:latest``).<br>
Consider upgrading to 3.0 for even faster deployments.
## Version 1.0 (EOL)
Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0
Please note that version 1.0 has reached end of life state.
---
## Acknowledgements
+ This project is a fork of [Contention/rsync-deployments](https://github.com/Contention/rsync-deployments)
+ Base image [JoshPiper/rsync-docker](https://github.com/JoshPiper/rsync-docker)
---
## Media & Pingback
This action was featured in multiple blogs across the globe:
> Disclaimer: The author & co-authors are not responsible for the content of the site-links below.
- https://hosting.xyz/wiki/hosting/other/github-actions/
- https://www.alexander-palm.de/2025/07/22/sichere-rsync-deployments-mit-github-actions-und-rrsync/
- https://lab.uberspace.de/howto_automatic-deployment/
- https://blog.devops.dev/setting-up-an-ubuntu-instance-for-nodejs-apps-in-ovh-cloud-using-nginx-pm2-github-actions-7618c768d081
- https://elijahverdoorn.com/2020/04/14/automating-deployment-with-github-actions/
- https://www.vektor-inc.co.jp/post/github-actions-deploy/
- https://webpick.info/automatiser-avec-github-actions/
- https://matthias-andrasch.eu/blog/2021/tutorial-webseite-mittels-github-actions-deployment-zu-uberspace-uebertragen-rsync/
- https://jishuin.proginn.com/p/763bfbd38928
- https://cloud.tencent.com/developer/article/1786522
Reference in a new issue View git blame Copy permalink