As mentioned in #145 if the TARGET argument is unspecified then the action should exit and return an error before any changes are made to the filesystem. In other words, TARGET should not have a default value. If TARGET is assigned to a non-existent GitHub secret or empty variable then it will proceed to work in the /home/REMOTE_USER directory, in accordance with the docs:
TARGET (optional, default '/home/REMOTE_USER/')
I think it's clear to see why this behaviour is extremely dangerous, as the suggested workflow rsync args will cause the recursive removal of all files and directories in the home directory as well as placing the files in the wrong directory. Even if the docs for this action are read thouroughly and rsync args are handcrafted, if a GitHub secret is removed by accident and this workflow runs then it's likely going to cause headaches. TARGET should always be explicitly defined to prevent this
As mentioned in #145 if the
TARGET
argument is unspecified then the action should exit and return an error before any changes are made to the filesystem. In other words,TARGET
should not have a default value. IfTARGET
is assigned to a non-existent GitHub secret or empty variable then it will proceed to work in the/home/REMOTE_USER
directory, in accordance with the docs:I think it's clear to see why this behaviour is extremely dangerous, as the suggested workflow rsync args will cause the recursive removal of all files and directories in the home directory as well as placing the files in the wrong directory. Even if the docs for this action are read thouroughly and rsync args are handcrafted, if a GitHub secret is removed by accident and this workflow runs then it's likely going to cause headaches.
TARGET
should always be explicitly defined to prevent thisRelevant code, src/inputs.js#L14
EDIT: Wording, relevant line