svemagie.net/indiekit-blog
1
0
Fork 0
Code Issues Actions Packages Projects Releases Activity

fix: run syndication webhook inside node jail (jsonwebtoken not on runner)

Browse Source
This commit is contained in:
svemagie
2026-05-14 20:04:01 +02:00
parent 938f4ad706
commit 126857a2a9
1 changed files with 19 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/deploy.yml
+19 -11
View File
@@ -196,23 +196,31 @@ jobs:
env: env:
SECRET: ${{ secrets.SECRET }} SECRET: ${{ secrets.SECRET }}
SITE_URL: ${{ secrets.SITE_URL }} SITE_URL: ${{ secrets.SITE_URL }}
INDIEKIT_INTERNAL_URL: http://10.100.0.20:3000
run: | run: |
TOKEN=$(node --input-type=commonjs <<'EOF' # Write script to host /tmp, then copy into jail and run it there.
const jwt = require('jsonwebtoken'); # jsonwebtoken is only available inside the node jail at /usr/local/indiekit/node_modules.
const token = jwt.sign( cat > /tmp/syndicate.sh << 'SCRIPT'
{ me: process.env.SITE_URL, scope: 'update' }, #!/bin/sh
process.env.SECRET, set -eu
{ expiresIn: '10m' } TOKEN=$(node --input-type=commonjs << 'JSEOF'
); const jwt = require('/usr/local/indiekit/node_modules/jsonwebtoken');
process.stdout.write(token); process.stdout.write(jwt.sign({ me: process.env.SITE_URL, scope: 'update' }, process.env.SECRET, { expiresIn: '10m' }));
EOF JSEOF
) )
RESPONSE=$(curl -sS -w "\n%{http_code}" -X POST \ RESPONSE=$(curl -sS -w "\n%{http_code}" -X POST \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{\"access_token\": \"$TOKEN\"}" \ -d "{\"access_token\": \"$TOKEN\"}" \
"$INDIEKIT_INTERNAL_URL/syndicate") http://10.100.0.20:3000/syndicate)
HTTP_CODE=$(echo "$RESPONSE" | tail -1) HTTP_CODE=$(echo "$RESPONSE" | tail -1)
BODY=$(echo "$RESPONSE" | sed '$d') BODY=$(echo "$RESPONSE" | sed '$d')
echo "HTTP $HTTP_CODE: $BODY" echo "HTTP $HTTP_CODE: $BODY"
[ "$HTTP_CODE" -lt 400 ] [ "$HTTP_CODE" -lt 400 ]
SCRIPT
scp -P 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
/tmp/syndicate.sh \
${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/tmp/syndicate.sh
ssh -p 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} \
"doas cp /tmp/syndicate.sh /usr/local/bastille/jails/node/root/tmp/syndicate.sh && \
SECRET='$SECRET' SITE_URL='$SITE_URL' \
doas bastille cmd node sh /tmp/syndicate.sh"