diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 021753c..e3f8a58 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -197,9 +197,7 @@ jobs:
           SECRET: ${{ secrets.SECRET }}
           SITE_URL: ${{ secrets.SITE_URL }}
         run: |
-          # syndicate-webhook.sh lives at /usr/local/indiekit/ inside the node jail (persistent path).
-          # jsonwebtoken is only available there, not on the runner.
+          # bastille cmd does not forward env vars — use jexec with explicit env.
           ssh -p 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
             ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} \
-            "SECRET='$SECRET' SITE_URL='$SITE_URL' \
-             doas bastille cmd node sh /usr/local/indiekit/syndicate-webhook.sh"
+            "doas jexec node env SECRET='$SECRET' SITE_URL='$SITE_URL' sh /usr/local/indiekit/syndicate-webhook.sh"