From 126857a2a9c4d514d43ae6fe0cc208d197a1064e Mon Sep 17 00:00:00 2001
From: svemagie <869694+svemagie@users.noreply.github.com>
Date: Thu, 14 May 2026 20:04:01 +0200
Subject: [PATCH] fix: run syndication webhook inside node jail (jsonwebtoken
 not on runner)

---
 .github/workflows/deploy.yml | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 60de5e7..0be09e4 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -196,23 +196,31 @@ jobs:
         env:
           SECRET: ${{ secrets.SECRET }}
           SITE_URL: ${{ secrets.SITE_URL }}
-          INDIEKIT_INTERNAL_URL: http://10.100.0.20:3000
         run: |
-          TOKEN=$(node --input-type=commonjs <<'EOF'
-          const jwt = require('jsonwebtoken');
-          const token = jwt.sign(
-            { me: process.env.SITE_URL, scope: 'update' },
-            process.env.SECRET,
-            { expiresIn: '10m' }
-          );
-          process.stdout.write(token);
-          EOF
+          # Write script to host /tmp, then copy into jail and run it there.
+          # jsonwebtoken is only available inside the node jail at /usr/local/indiekit/node_modules.
+          cat > /tmp/syndicate.sh << 'SCRIPT'
+          #!/bin/sh
+          set -eu
+          TOKEN=$(node --input-type=commonjs << 'JSEOF'
+const jwt = require('/usr/local/indiekit/node_modules/jsonwebtoken');
+process.stdout.write(jwt.sign({ me: process.env.SITE_URL, scope: 'update' }, process.env.SECRET, { expiresIn: '10m' }));
+JSEOF
           )
           RESPONSE=$(curl -sS -w "\n%{http_code}" -X POST \
             -H "Content-Type: application/json" \
             -d "{\"access_token\": \"$TOKEN\"}" \
-            "$INDIEKIT_INTERNAL_URL/syndicate")
+            http://10.100.0.20:3000/syndicate)
           HTTP_CODE=$(echo "$RESPONSE" | tail -1)
           BODY=$(echo "$RESPONSE" | sed '$d')
           echo "HTTP $HTTP_CODE: $BODY"
           [ "$HTTP_CODE" -lt 400 ]
+          SCRIPT
+          scp -P 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
+            /tmp/syndicate.sh \
+            ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/tmp/syndicate.sh
+          ssh -p 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
+            ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} \
+            "doas cp /tmp/syndicate.sh /usr/local/bastille/jails/node/root/tmp/syndicate.sh && \
+             SECRET='$SECRET' SITE_URL='$SITE_URL' \
+             doas bastille cmd node sh /tmp/syndicate.sh"