All notable changes to this action are documented here.
Format follows Keep a Changelog.
- License changed from MIT to Apache 2.0
- Replaced all em dashes with standard hyphens across docs, workflows, and action.yml (history rewritten)
- Initial release - part of the NXTools Collection by NX1X (https://nx1xlab.dev/nxtools)
- Install
cloudflaredfrom GitHub releases (latest or pinned version) - Write SSH private key with correct permissions (
chmod 600) - Create wrapper script embedding
TUNNEL_SERVICE_TOKEN_ID/TUNNEL_SERVICE_TOKEN_SECRETat write-time (bypasses ProxyCommand subprocess env var propagation issue) - Configure
~/.ssh/configwith ProxyCommand, timeouts, and keep-alive settings - Verify step: print cloudflared version, key fingerprint, redacted wrapper script, SSH config entry
- Optional connection test (
test-connection: trueby default) - Inputs:
cf-access-client-id,cf-access-client-secret,ssh-private-key,ssh-host,ssh-user,cloudflared-version,ssh-key-path,connect-timeout,server-alive-interval,test-connection - Manual release workflow (
workflow_dispatch) with version validation, duplicate tag check, and floating major version tag - CI workflow with pinned
actionlint(v1.7.7) andshellcheck - Dependabot for GitHub Actions version updates
- All
${{ inputs.* }}and${{ steps.*.outputs.* }}expressions in shell scripts routed throughenv:blocks to prevent script injection - Input validation for
cloudflared-version- rejects values that don't matchlatestorX.Y.Zformat softprops/action-gh-releasepinned to commit SHA to prevent supply chain attacks- Explicit
permissionsblocks on all workflows (least-privilegecontents: read) - Credentials redacted in verify step output via
sed - Documentation examples use
env:blocks instead of direct${{ secrets.* }}inrun:blocks