diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 0be09e4..021753c 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -197,30 +197,9 @@ jobs: SECRET: ${{ secrets.SECRET }} SITE_URL: ${{ secrets.SITE_URL }} run: | - # Write script to host /tmp, then copy into jail and run it there. - # jsonwebtoken is only available inside the node jail at /usr/local/indiekit/node_modules. - cat > /tmp/syndicate.sh << 'SCRIPT' - #!/bin/sh - set -eu - TOKEN=$(node --input-type=commonjs << 'JSEOF' -const jwt = require('/usr/local/indiekit/node_modules/jsonwebtoken'); -process.stdout.write(jwt.sign({ me: process.env.SITE_URL, scope: 'update' }, process.env.SECRET, { expiresIn: '10m' })); -JSEOF - ) - RESPONSE=$(curl -sS -w "\n%{http_code}" -X POST \ - -H "Content-Type: application/json" \ - -d "{\"access_token\": \"$TOKEN\"}" \ - http://10.100.0.20:3000/syndicate) - HTTP_CODE=$(echo "$RESPONSE" | tail -1) - BODY=$(echo "$RESPONSE" | sed '$d') - echo "HTTP $HTTP_CODE: $BODY" - [ "$HTTP_CODE" -lt 400 ] - SCRIPT - scp -P 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \ - /tmp/syndicate.sh \ - ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }}:/tmp/syndicate.sh + # syndicate-webhook.sh lives at /usr/local/indiekit/ inside the node jail (persistent path). + # jsonwebtoken is only available there, not on the runner. ssh -p 222 -i ~/.ssh/id_rsa -o StrictHostKeyChecking=no \ ${{ secrets.SSH_USER }}@${{ secrets.SSH_HOST }} \ - "doas cp /tmp/syndicate.sh /usr/local/bastille/jails/node/root/tmp/syndicate.sh && \ - SECRET='$SECRET' SITE_URL='$SITE_URL' \ - doas bastille cmd node sh /tmp/syndicate.sh" + "SECRET='$SECRET' SITE_URL='$SITE_URL' \ + doas bastille cmd node sh /usr/local/indiekit/syndicate-webhook.sh"