Enhance deployment workflow with deploy ignore, concurrency support, and security fixes

- Add support for user-supplied .deployignore files and added built-in
ignore rules
- Exclude sensitive files by default (Steam credentials, .git/)
- Add an option for concurrent staging paths with commit SHA to avoid
conflicts with concurrent deployments (disabled by default)
- Update manifest generation to use filtered staging directory
- Add rsync installation in Dockerfile (used for .deployignore)
- Added verbosity a control for rsync operations.

Author: Gamebuster19901

.deployignore

@@ -0,0 +1,46 @@
+# # # Use rsync EXCLUDE syntax # # #
+
+#######
+# GIT #
+#######
+#The .git directory and everything under it
+.git/
+#Any .gitignore file
+.gitignore
+#Any .gitattributes file
+.gitattributes
+
+##########
+# GITHUB #
+##########
+# Github specific applications and workflows
+.github/
+
+################
+# STEAM DEPLOY #
+################
+#Any .deployignorefile
+.deployignore
+#The default deployment directory
+deploy/
+
+#########
+# STEAM #
+#########
+# Steam login files and credentials
+config.vdf
+localconfig.vdf
+DialogConfig.vdf
+# Steam guard tokens
+ssfn*
+# app manifest files
+*.acf
+
+###############
+# COMMON KEYS #
+###############
+.env
+.env.*
+.pem
+.key
+.crt

Dockerfile

@@ -1,3 +1,5 @@
 FROM steamcmd/steamcmd:ubuntu-22
 COPY steam_deploy.sh /root/steam_deploy.sh
+COPY .deployignore /root/.defaultdeployignore
+RUN apt-get update && apt-get install -y rsync
 ENTRYPOINT ["/root/steam_deploy.sh"]

action.yml

@@ -30,7 +30,27 @@ inputs:
   path:
     required: false
     default: ''
-    description: 'The path of the directory to be uploaded, relative to the repository root.'
+    description: 'The path of the directory containing the files you wish to upload, relative to the repository root.'
+  deployIgnore:
+    required: true
+    default: ''
+    description: 'The path of the deploy ignore file. Paths in this file are not included in the deployment. If a value is not supplied, will attempt to read a file named `.deployignore` from the root of the supplied path.'
+  useBuiltinDeployIgnore:
+    required: true
+    default: 'true'
+    description: 'Enables the built-in .deployignore rules to exclude common sensitive files during deployment. This is combined with the file supplied in `deployIgnore`'
+  stagingPath:
+    required: true
+    default: '/tmp/steam_deploy/'
+    description: 'The staging directory. Files will be copied from your `path` to here before being uploaded. Anything excluded under your .deployIgnore rules will not be copied here, and as such will not be packaged with your deployed artifact. This directory is not cleared when this workflow finishes.'
+  concurrentStaging:
+    required: true
+    default: 'false'
+    description: 'If `true`, the `stagingPath` will include the commit SHA as a subdirectory, ensuring each deployment uses its own isolated path and avoiding conflicts between concurrent deployments. Useful for self-hosted or nonephemeral actions runners. This directory is not cleared when this workflow finishes'
+  verbosity:
+    required: true
+    default: "NORMAL"
+    description: 'Sets the log verbosity. Can be either `NORMAL` or `TRACE`. If invalid, will behave as `TRACE`.'
   changeNote:
     required: false
     default: ''
@@ -50,3 +70,8 @@ runs:
     itemId: ${{ inputs.publishedFileId }}
     rootPath: ${{ inputs.path }}
     changeNote: ${{ inputs.changeNote }}
+    deployIgnore: ${{ inputs.deployIgnore }}
+    useBuiltinDeployIgnore: ${{ inputs.useBuiltinDeployIgnore }}
+    stagingPath: ${{ inputs.stagingPath }}
+    concurrentStaging: ${{ inputs.concurrentStaging }}
+    verbosity: ${{ inputs.verbosity }}

steam_deploy.sh

@@ -8,6 +8,71 @@ contentroot=$(pwd)/$rootPath
 
 manifest_path=$(pwd)/manifest.vdf
 
+echo ""
+echo "##########################"
+echo "# Calculating Deployment #"
+echo "##########################"
+echo ""
+
+if [ "$concurrentStaging" == "true" ]; then
+    stagingPath="$stagingPath/$GITHUB_SHA"
+fi
+
+mkdir -p "$stagingPath"
+
+echo "Staging Path: $stagingPath"
+
+if [ -z "$deployIgnore" ]; then
+    if [ -f "$contentroot/.deployignore" ]; then
+        deployIgnore="$contentroot/.deployignore"
+        echo "Using user content root .deployignore at $deployIgnore"
+    else
+        deployIgnore=""
+        echo "no user .deployignore found"
+    fi
+else
+    # Make deployIgnore absolute if relative
+    if [[ ! "$deployIgnore" = /* ]]; then
+        deployIgnore="$contentroot/$deployIgnore"
+    fi
+    echo "Using user supplied deploy ignore file at $deployIgnore"
+fi
+
+RSYNC_EXCLUDE_PARAMS=()
+
+if [ "$useBuiltinDeployIgnore" == "true" ]; then
+    echo "Including built-in deploy ignore"
+    RSYNC_EXCLUDE_PARAMS+=(--exclude-from=/root/.defaultdeployignore)
+else
+    echo "!!!!!!NOT USING BUILT IN DEPLOY IGNORE FILE!!!!!!"
+fi
+
+if [ -n "$deployIgnore" ]; then
+    echo "Including user deploy ignore file $deployIgnore"
+    RSYNC_EXCLUDE_PARAMS+=(--exclude-from="$deployIgnore")
+fi
+
+echo "# BuildIgnore Start #"
+
+if [ "$useBuiltinDeployIgnore" = "true" ]; then
+    cat /root/.defaultdeployignore || true
+fi
+echo ""
+if [ -n "$deployIgnore" ]; then
+    cat "$deployIgnore" || true
+fi
+
+echo "# BuildIgnore End #"
+
+echo "Running rsync to package content..."
+
+if [ "$verbosity" != "NORMAL" ]; then #NOTE: Documentation states that valid values are NORMAL and TRACE.
+    rsync -av "${RSYNC_EXCLUDE_PARAMS[@]}" "$contentroot/" "$stagingPath"
+else #assume TRACE
+    rsync -a "${RSYNC_EXCLUDE_PARAMS[@]}" "$contentroot/" "$stagingPath"
+fi
+
+
 echo ""
 echo "#################################"
 echo "#    Generating Item Manifest   #"
@@ -19,7 +84,7 @@ cat << EOF > "manifest.vdf"
 {
     "appid" "$appId"
     "publishedfileid" "$itemId"
-    "contentfolder" "$contentroot"
+    "contentfolder" "$stagingPath"
     "changenote" "$changeNote"
 }
 EOF