Find a file
Steven Agyekum 796cf0d5e4
Merge pull request #61 from Burnett01/release/7.0.1
- Pin @JoshPiper [drinternet/rsync](https://github.com/JoshPiper/rsync-docker) image by SHA-256 hash rather than version.  (Immutability)
Added via #60 

The docker image of this action is now pinned to the specific SHA-256 hash of the version rather than just the version.
This means for the latest `drinternet/rsync:v1.4.4` the corresponding hash is `drinternet/rsync@sha256:15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234`

Check for validation: https://hub.docker.com/layers/drinternet/rsync/v1.4.4/images/sha256-15b2949838074bd93c49421c22380396a0cd53a322439e799ac87afcadcfe234

With that, usage of this action is even more secure due to a consistent dependency chain of trust,
since changes accompanied by a docker image hash are immutable.

Thanks to @XComp
2024-03-31 18:11:10 +02:00
.github Create dependabot.yml 2021-09-01 12:47:46 +02:00
action.yml feat: configuarable legacy RSA hostkeys support 2024-03-06 12:20:39 +01:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2020-06-27 15:55:31 +02:00
CONTRIBUTING.md Create CONTRIBUTING.md 2020-06-27 15:55:57 +02:00
Dockerfile Use SHA instead of Docker version tag for base image to allow for consistent code execution. 2024-03-28 17:53:03 +01:00
entrypoint.sh feat: Make usage of legacy rsa hostkeys conditional 2024-03-06 12:16:35 +01:00
LICENSE update year to 2024 2024-03-30 10:46:13 +01:00
README.md upd: mention version 7.0.1 2024-03-30 10:49:50 +01:00
SECURITY.md chore: adjust for EOL, DEPRECATION and MAINTENANCE 2024-03-06 14:33:02 +01:00

rsync deployments

This GitHub Action (amd64) deploys files in GITHUB_WORKSPACE to a remote folder via rsync over ssh.

Use this action in a CD workflow which leaves deployable code in GITHUB_WORKSPACE.

The base-image drinternet/rsync of this action is very small and is based on Alpine 3.19.1 (no cache) which results in fast deployments.


Inputs

  • switches* - The first is for any initial/required rsync flags, eg: -avzr --delete

  • rsh - Remote shell commands

  • legacy_allow_rsa_hostkeys - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")

  • path - The source path. Defaults to GITHUB_WORKSPACE and is relative to it

  • remote_path* - The deployment target path

  • remote_host* - The remote host

  • remote_port - The remote port. Defaults to 22

  • remote_user* - The remote user

  • remote_key* - The remote ssh key

  • remote_key_pass - The remote ssh key passphrase (if any)

* = Required

Required secret(s)

This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the remote_key input.

Always use secrets when dealing with sensitive inputs!

For simplicity, we are using DEPLOY_* as the secret variables throughout the examples.

Current Version: 7.0.1

Example usage

Simple:

name: DEPLOY
on:
  push:
    branches:
    - master

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.0.1
      with:
        switches: -avzr --delete
        path: src/
        remote_path: /var/www/html/
        remote_host: example.com
        remote_user: debian
        remote_key: ${{ secrets.DEPLOY_KEY }}

Advanced:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.0.1
      with:
        switches: -avzr --delete --exclude="" --include="" --filter=""
        path: src/
        remote_path: /var/www/html/
        remote_host: example.com
        remote_port: 5555
        remote_user: debian
        remote_key: ${{ secrets.DEPLOY_KEY }}

For better security, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs.

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.0.1
      with:
        switches: -avzr --delete
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}

If your private key is passphrase protected you should use:

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.0.1
      with:
        switches: -avzr --delete
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}
        remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }}

Legacy RSA Hostkeys support for OpenSSH Servers >= 8.8+

If your remote OpenSSH Server still uses RSA hostkeys, then you have to manually enable legacy support for this by using legacy_allow_rsa_hostkeys: "true".

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - name: rsync deployments
      uses: burnett01/rsync-deployments@7.0.1
      with:
        switches: -avzr --delete
        legacy_allow_rsa_hostkeys: "true"
        path: src/
        remote_path: ${{ secrets.DEPLOY_PATH }}
        remote_host: ${{ secrets.DEPLOY_HOST }}
        remote_port: ${{ secrets.DEPLOY_PORT }}
        remote_user: ${{ secrets.DEPLOY_USER }}
        remote_key: ${{ secrets.DEPLOY_KEY }}

See #49 and #24 for more information.


Version 6.0 (MAINTENANCE)

Check here:


Version 5.0, 5.1 & 5.2 & 5.x (DEPRECATED)

Check here:


Version 4.0 & 4.1 (EOL)

Check here:

Version 4.0 & 4.1 use the drinternet/rsync:1.0.1 base-image.


Version 3.0 (EOL)

Check here: https://github.com/Burnett01/rsync-deployments/tree/3.0

Version 3.0 uses the alpine:latest base-image directly.
Consider upgrading to 4.0 that uses a docker-image drinternet/rsync:1.0.1 that is
based on alpine:latestand heavily optimized for rsync.

Version 2.0 (EOL)

Check here: https://github.com/Burnett01/rsync-deployments/tree/2.0

Version 2.0 uses a larger base-image (ubuntu:latest).
Consider upgrading to 3.0 for even faster deployments.

Version 1.0 (EOL)

Check here: https://github.com/Burnett01/rsync-deployments/tree/1.0

Please note that version 1.0 has reached end of life state.


Acknowledgements


Media

This action was featured in multiple blogs across the globe:

Disclaimer: The author & co-authors are not responsible for the content of the site-links below.