fix: run syndication webhook from persistent jail path, not /tmp

.github/workflows/deploy.yml

@@ -197,30 +197,9 @@ jobs:
           SECRET: ${{ secrets.SECRET }}
           SITE_URL: ${{ secrets.SITE_URL }}
         run: |
-          # Write script to host /tmp, then copy into jail and run it there.
-          # jsonwebtoken is only available inside the node jail at /usr/local/indiekit/node_modules.
-          cat > /tmp/syndicate.sh << 'SCRIPT'
-          #!/bin/sh
-          set -eu
-          TOKEN=$(node --input-type=commonjs << 'JSEOF'
-const jwt = require('/usr/local/indiekit/node_modules/jsonwebtoken');
-process.stdout.write(jwt.sign({ me: process.env.SITE_URL, scope: 'update' }, process.env.SECRET, { expiresIn: '10m' }));
-JSEOF
-          )
-          RESPONSE=$(curl -sS -w "\n%{http_code}" -X POST \
-            -H "Content-Type: application/json" \
-            -d "{\"access_token\": \"$TOKEN\"}" \
-            http://10.100.0.20:3000/syndicate)
-          HTTP_CODE=$(echo "$RESPONSE" | tail -1)
-          BODY=$(echo "$RESPONSE" | sed '$d')
-          echo "HTTP $HTTP_CODE: $BODY"
-          [ "$HTTP_CODE" -lt 400 ]
-          SCRIPT
-          scp -P 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
-            /tmp/syndicate.sh \
-            ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/tmp/syndicate.sh
+          # syndicate-webhook.sh lives at /usr/local/indiekit/ inside the node jail (persistent path).
+          # jsonwebtoken is only available there, not on the runner.
           ssh -p 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \
             ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} \
-            "doas cp /tmp/syndicate.sh /usr/local/bastille/jails/node/root/tmp/syndicate.sh && \
-             SECRET='$SECRET' SITE_URL='$SITE_URL' \
-             doas bastille cmd node sh /tmp/syndicate.sh"
+            "SECRET='$SECRET' SITE_URL='$SITE_URL' \
+             doas bastille cmd node sh /usr/local/indiekit/syndicate-webhook.sh"