v8 - 8.0.0 (#88)

* feat: latest Alpine 3.23.0
* feat: latest Rsync 3.4.1-r1
* feat: integrate [rsync-docker](https://github.com/JoshPiper/rsync-docker/) 3rd party into this action as 1st party code (no more dependency, better audit, single source of truth)
   - backported:
       - agent-start
       - agent-stop
       - agent-askpass
       - agent-add
       - hosts-add
       - hosts-clear
   - new added: 
       - ssh-init
       - hosts-init
   - improved: 
     - stricter permissions on .ssh/ folder (700) and known_hosts (600)
     - use set -eu in all scipts
* feat: new ``strict_host_keys`` option to enable support for strict host key verification. Default: false (to keep backward compatibility)
* feat: new ``debug`` option to see the commands executed (-x) by this action
* feat: this action is now scanned for vulnerabilities by Snyk
* feat; this action is now scanned by CodeQL for Q/A
* feat: this action now performs CI tasks such as Validation, Linting and Unit Tests
* fix: various shell syntax for robustness
* fix: use printf and redirect output to non-stdout instead of echo in sensitive code locations
* refactor: use $HOME instead of tilde ~ for robustness
* feat: cross-platform support
* chore: Deprecate 7.0.2
* chore: EOL 7.0.0 & 7.0.1

Author: Burnett01

.dockerignore

@@ -0,0 +1,5 @@
+Dockerfile
+LICENSE
+*.md
+.git*
+.github*

.editorconfig

@@ -0,0 +1,15 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+tab_width = 4
+indent_size = 4
+indent_style = space
+max_line_length = 9999
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{yml,yaml}]
+tab_width = 2
+indent_size = 2

Dockerfile

@@ -1,11 +1,14 @@
-# drinternet/rsync@v1.5.1
-FROM drinternet/rsync@sha256:e61f4047577b566872764fa39299092adeab691efb3884248dbd6495dc926527
+FROM alpine:3.23.0@sha256:51183f2cfa6320055da30872f211093f9ff1d3cf06f39a0bdb212314c5dc7375 AS base
+
+RUN apk update && apk add --no-cache --upgrade rsync openssh openssl busybox
 
-# always force-upgrade rsync to get the latest security fixes
-RUN apk update && apk add --no-cache --upgrade rsync openssl
 RUN rm -rf /var/cache/apk/*
 
-# Copy entrypoint
+COPY docker-rsync/* /bin/
+RUN chmod +x /bin/agent-*
+
+FROM base AS build
+
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 

LICENSE

@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2019-2022 Contention
+Copyright (c) 2019-2025 Joshua Piper (Dr Internet)
 Copyright (c) 2019-2025 Burnett01
 
 Permission is hereby granted, free of charge, to any person obtaining a copy

README.md

@@ -6,24 +6,28 @@
 [![Dependabot Updates](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates/badge.svg)](https://github.com/Burnett01/rsync-deployments/actions/workflows/dependabot/dependabot-updates)
 
 
-This GitHub Action (amd64) deploys files in `GITHUB_WORKSPACE` to a remote folder via rsync over ssh. 
+This cross-platform GitHub Action deploys files in [`path`](#inputs) (relative to  `GITHUB_WORKSPACE`) to a remote folder via rsync over ssh. 
 
-Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`.
+Use this action in a CD workflow which leaves deployable code in `GITHUB_WORKSPACE`, such [actions/checkout](https://github.com/actions/checkout).
 
-The base-image [drinternet/rsync](https://github.com/JoshPiper/rsync-docker/) of this action is very small and is based on Alpine 3.22.1 (no cache) which results in fast deployments.
+The base-image of this action is very small and based on **Alpine 3.23.0** (no cache) which results in fast deployments.
 
-Alpine version: [3.22.1](https://alpinelinux.org/posts/Alpine-3.19.8-3.20.7-3.21.4-3.22.1-released.html)
-Rsync version: [3.4.1-r0](https://download.samba.org/pub/rsync/NEWS#3.4.1)
+Alpine version: [3.23.0](https://www.alpinelinux.org/posts/Alpine-3.23.0-released.html)
+Rsync version: [3.4.1-r1](https://download.samba.org/pub/rsync/NEWS#3.4.1)
 
 ---
 
 ## Inputs
 
+- `debug`* - Whether to enable debug output. ("true" / "false") - Default: "false"
+
 - `switches`* - The first is for any initial/required rsync flags, eg: `-avzr --delete`
 
 - `rsh` - Remote shell commands
 
-- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false")
+- `strict_hostkeys_checking` - Enables support for strict hostkeys (fingerprint) checking. ("true" / "false") - Default: "false"
+
+- `legacy_allow_rsa_hostkeys` - Enables support for legacy RSA host keys on OpenSSH 8.8+. ("true" / "false") - Default: "false"
 
 - `path` - The source path. Defaults to GITHUB_WORKSPACE and is relative to it
 
@@ -49,7 +53,17 @@ This action needs secret variables for the ssh private key of your key pair. The
 
 For simplicity, we are using `REMOTE_*` as the secret variables throughout the examples.
 
-## Current Version: 7.1.0
+## Current Version: v8 (8.0.0)
+
+### Release channels:
+
+| Version | Purpose          | Immutable  | 
+| ------- | ------------------ | ------------------ | 
+| ``v8``  |  latest release (pointer to 8.x.x) | no, points to latest MINOR,PATCH |
+| 8.0.0  | latest major release | yes |
+| 7.1.0   | previous release | yes |
+
+Check [SECURITY.md](SECURITY.md) for support cycles.
 
 ## Example usage
 
@@ -66,9 +80,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@7.1.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete
         path: src/
@@ -85,9 +99,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@7.1.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete --exclude="" --include="" --filter=""
         path: src/
@@ -105,9 +119,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@7.1.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete
         path: src/
@@ -125,9 +139,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@7.1.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete
         path: src/
@@ -151,9 +165,9 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v6
     - name: rsync deployments
-      uses: burnett01/rsync-deployments@7.1.0
+      uses: burnett01/rsync-deployments@v8
       with:
         switches: -avzr --delete
         legacy_allow_rsa_hostkeys: "true"
@@ -263,20 +277,27 @@ sudo apk add rsync
 
 ## Versions
 
-## Version 7.0.2
+## Version 7.1.0
+
+Check here: 
+
+- https://github.com/Burnett01/rsync-deployments/tree/7.1.0  (alpine 3.22.1)
+  
+
+## Version 7.0.2 (DEPRECATED)
 
 Check here: 
 
-- https://github.com/Burnett01/rsync-deployments/tree/7.0.2  (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.2  (alpine 3.22.1)
 
 ---
 
-## Version 7.0.0 & 7.0.1 (DEPRECATED)
+## Version 7.0.0 & 7.0.1 (EOL)
 
 Check here: 
 
 - https://github.com/Burnett01/rsync-deployments/tree/7.0.0  (alpine 3.19.1)
-- https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.19.1)
+- https://github.com/Burnett01/rsync-deployments/tree/7.0.1  (alpine 3.22.1)
 
 ---
 

SECURITY.md

@@ -1,21 +1,30 @@
 # Security Policy
 
+The Docker image and code quality are regularly checked for vulnerabilities and CVEs by Snyk and CodeQL.
+
 ## Supported Versions
 
 The following versions are currently being supported with security updates:
 
-| Version | Supported          | Rsync version          |
-| ------- | ------------------ | ------------------ |
-| 7.1.0  | :white_check_mark: | >= 3.4.1 |
-| 7.0.2   | :white_check_mark: | >= 3.4.0 |
-| 7.0.1   | :warning: DEPRECATED | < 3.4.0 |
-| 7.0.0   | :warning: DEPRECATED | < 3.4.0|
-| 6.x   | :x: EOL |< 3.4.0|
-| 5.x   | :x: EOL |< 3.4.0|
-| 4.x   | :x: EOL |< 3.4.0|
-| 3.0   | :x: EOL |< 3.4.0|
-| 2.0   | :x: EOL               |< 3.4.0|
-| 1.0   | :x: EOL               |< 3.4.0|
+| Version | Supported          | Rsync version          | Alpine version          |
+| ------- | ------------------ | ------------------ | ------------------ |
+| 8.0.0  | :white_check_mark: | >= 3.4.1-r1 | 3.23.0 |
+| 7.1.0  | :white_check_mark: | >= 3.4.1-r0 | 3.22.1 |
+| 7.0.2   | :warning: DEPRECATED | >= 3.4.0-r0 | 3.22.1 |
+| 7.0.1   | :x: EOL | < 3.4.0 | 3.22.1 |
+| 7.0.0   | :x: EOL | < 3.4.0| 3.19.1 |
+| 6.x   | :x: EOL |< 3.4.0| 3.17.2 |
+| 5.x   | :x: EOL |< 3.4.0| 3.11 - 3.14.1 - 3.15 - 3.16 - 3.17.2 |
+| 4.x   | :x: EOL |< 3.4.0| 3.11 |
+| 3.0   | :x: EOL |< 3.4.0| N/A |
+| 2.0   | :x: EOL               |< 3.4.0| Ubuntu |
+| 1.0   | :x: EOL               |< 3.4.0| Ubuntu |
+
+### Terminology
+
+EOL = End of life (no support/no updates)
+
+DEPRECATED = Close to EOL (support/no updates)
 
 ## Reporting a Vulnerability
 

action.yml

@@ -13,6 +13,10 @@ inputs:
     description: 'Enables support for legacy RSA host keys on OpenSSH 8.8+'
     required: false
     default: 'false'
+  strict_hostkeys_checking:
+    description: 'Controls strict host keys checking'
+    required: false
+    default: 'false'
   path:
     description: 'The local path'
     required: false
@@ -37,6 +41,10 @@ inputs:
     description: 'The remote key passphrase'
     required: false
     default: ''
+  debug:
+    description: 'Debug the action'
+    required: false
+    default: 'false'
 runs:
   using: 'docker'
   image: 'Dockerfile'

docker-rsync/agent-add

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+set -eu
+
+source agent-start "${1:-default}"
+cat - | tr -d '\r' | DISPLAY=1 SSH_ASKPASS=agent-askpass ssh-add - >/dev/null

docker-rsync/agent-askpass

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+echo "$SSH_PASS"

docker-rsync/agent-start

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+set -eu
+
+FOLDER=${1:-default}
+STORE_PATH="/tmp/ssh-agent/$FOLDER"
+mkdir -p "$STORE_PATH"
+
+if [ -z "${SSH_AGENT_PID:-}" ]; then
+	if [ -f "$STORE_PATH/id" ]; then
+		SSH_AGENT_PID=$(cat "$STORE_PATH/id")
+		export SSH_AGENT_PID
+
+		SSH_AUTH_SOCK=$(cat "$STORE_PATH/sock")
+		export SSH_AUTH_SOCK
+	else
+		eval "$(ssh-agent)" > /dev/null
+		echo "$SSH_AGENT_PID" > "$STORE_PATH"/id
+		echo "$SSH_AUTH_SOCK" > "$STORE_PATH"/sock
+	fi
+fi