From 342e70b07eb35b517864a3ee86a034272b724aa9 Mon Sep 17 00:00:00 2001 From: Steven Agyekum Date: Mon, 2 Aug 2021 21:57:01 +0200 Subject: [PATCH] Release/v5 (#13) * Reference JoshPiper/rsync-docker @ 1.1.0 * See: https://github.com/JoshPiper/rsync-docker/tree/1.1.0 * New features: Support passphrase protected keys * supply SSH_PASS (key passphrase) to agent-add Read more about the behavior: https://github.com/JoshPiper/rsync-docker#agent-askpass * add new remote_key_pass config option * Update README.md * Update README.md * 2.0 is EOL * support 5.0, drop 2.0 * default to empty string * reference JoshPiper/rsync-docker @ v1.2.0 --- Dockerfile | 2 +- README.md | 55 +++++++++++++++++++++++++++++++++++++++++++-------- SECURITY.md | 4 +++- action.yml | 4 ++++ entrypoint.sh | 2 +- 5 files changed, 56 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index e206465..f0daa6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM drinternet/rsync:1.0.1 +FROM drinternet/rsync:v1.2.0 # Copy entrypoint COPY entrypoint.sh /entrypoint.sh diff --git a/README.md b/README.md index c4cfc35..67f2c82 100644 --- a/README.md +++ b/README.md @@ -26,11 +26,17 @@ The underlaying base-image of the docker-image is very small (Alpine (no cache)) - `remote_key`* - The remote ssh key +- `remote_key_pass` - The remote ssh key passphrase (if any) + ``* = Required`` -## Required secret +## Required secret(s) -This action needs a `DEPLOY_KEY` secret variable. This should be the private key part of a ssh key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. This should be set in the Github secrets section and then referenced as the `remote_key` input. +This action needs secret variables for the ssh private key of your key pair. The public key part should be added to the authorized_keys file on the server that receives the deployment. The secret variable should be set in the Github secrets section of your org/repo and then referenced as the `remote_key` input. + +> Always use secrets when dealing with sensitive inputs! + +For simplicity, we are using `DEPLOY_*` as the secret variables throughout the examples. ## Example usage @@ -49,7 +55,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: rsync deployments - uses: burnett01/rsync-deployments@4.1 + uses: burnett01/rsync-deployments@5.0 with: switches: -avzr --delete path: src/ @@ -68,7 +74,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: rsync deployments - uses: burnett01/rsync-deployments@4.1 + uses: burnett01/rsync-deployments@5.0 with: switches: -avzr --delete --exclude="" --include="" --filter="" path: src/ @@ -79,7 +85,7 @@ jobs: remote_key: ${{ secrets.DEPLOY_KEY }} ``` -For better security, I suggest you create additional secrets for remote_host, remote_port and remote_user inputs. +For better **security**, I suggest you create additional secrets for remote_host, remote_port, remote_user and remote_path inputs. ``` jobs: @@ -88,17 +94,50 @@ jobs: steps: - uses: actions/checkout@v2 - name: rsync deployments - uses: burnett01/rsync-deployments@4.1 + uses: burnett01/rsync-deployments@5.0 with: switches: -avzr --delete path: src/ - remote_path: /var/www/html/ + remote_path: ${{ secrets.DEPLOY_PATH }} remote_host: ${{ secrets.DEPLOY_HOST }} remote_port: ${{ secrets.DEPLOY_PORT }} remote_user: ${{ secrets.DEPLOY_USER }} remote_key: ${{ secrets.DEPLOY_KEY }} ``` +If your private key is passphrase protected you should use: + +``` +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: rsync deployments + uses: burnett01/rsync-deployments@5.0 + with: + switches: -avzr --delete + path: src/ + remote_path: ${{ secrets.DEPLOY_PATH }} + remote_host: ${{ secrets.DEPLOY_HOST }} + remote_port: ${{ secrets.DEPLOY_PORT }} + remote_user: ${{ secrets.DEPLOY_USER }} + remote_key: ${{ secrets.DEPLOY_KEY }} + remote_key_pass: ${{ secrets.DEPLOY_KEY_PASS }} +``` +--- + +## Version 4.0 & 4.1 + +Looking for version 4.0 and 4.1? + +Check here: + +- https://github.com/Burnett01/rsync-deployments/tree/4.0 +- https://github.com/Burnett01/rsync-deployments/tree/4.1 + +Version 4.0 & 4.1 use the ``drinternet/rsync:1.0.1`` base-image. + --- ## Version 3.0 @@ -111,7 +150,7 @@ Version 3.0 uses the ``alpine:latest`` base-image directly.
Consider upgrading to 4.0 that uses a docker-image ``drinternet/rsync:1.0.1`` that is
based on ``alpine:latest``and heavily optimized for rsync. -## Version 2.0 +## Version 2.0 (EOL) Looking for version 2.0? diff --git a/SECURITY.md b/SECURITY.md index 67de8c8..8db6109 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -6,10 +6,12 @@ The following versions are currently being supported with security updates: | Version | Supported | | ------- | ------------------ | +| 5.0 | :white_check_mark: | | 4.1 | :white_check_mark: | | 4.0 | :white_check_mark: | | 3.0 | :white_check_mark: | -| < 2.0 | :x: | +| 2.0 | :x: | +| 1.0 | :x: | ## Reporting a Vulnerability diff --git a/action.yml b/action.yml index d89ac9e..31eaea8 100644 --- a/action.yml +++ b/action.yml @@ -29,6 +29,10 @@ inputs: remote_key: description: 'The remote key' required: true + remote_key_pass: + description: 'The remote key passphrase' + required: false + default: '' runs: using: 'docker' image: 'Dockerfile' diff --git a/entrypoint.sh b/entrypoint.sh index 6590803..9d0f2b5 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,7 @@ # Start the SSH agent and load key. source agent-start "$GITHUB_ACTION" -echo "$INPUT_REMOTE_KEY" | agent-add +echo "$INPUT_REMOTE_KEY" | SSH_PASS="$INPUT_REMOTE_KEY_PASS" agent-add # Add strict errors. set -eu