From 668f7fa51a8646457304e457bf8981fb88d679c2 Mon Sep 17 00:00:00 2001
From: Sven <sgiersig@icloud.com>
Date: Thu, 14 May 2026 20:37:12 +0200
Subject: [PATCH] fix: use jexec env to pass vars into node jail for
 syndication webhook

---
 .github/workflows/deploy.yml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 021753c..e3f8a58 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -197,9 +197,7 @@ jobs:
           SECRET: ${{ secrets.SECRET }}
           SITE_URL: ${{ secrets.SITE_URL }}
         run: |
-          # syndicate-webhook.sh lives at /usr/local/indiekit/ inside the node jail (persistent path).
-          # jsonwebtoken is only available there, not on the runner.
+          # bastille cmd does not forward env vars — use jexec with explicit env.
           ssh -p 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
             ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} \
-            "SECRET='$SECRET' SITE_URL='$SITE_URL' \
-             doas bastille cmd node sh /usr/local/indiekit/syndicate-webhook.sh"
+            "doas jexec node env SECRET='$SECRET' SITE_URL='$SITE_URL' sh /usr/local/indiekit/syndicate-webhook.sh"