fix(deploy): explicitly re-run all patches after npm ci

Adds an explicit patch loop in the deploy step to ensure all
scripts/patch-*.mjs run even if npm ci postinstall was skipped.
This guarantees changelog categorization and other patches are
always applied on the server regardless of npm install mode.

.github/workflows/deploy.yml

@@ -41,6 +41,9 @@ jobs:
 
             # sharp/libvips are managed manually on the server.
 
+            # Verify and re-apply patches in case postinstall was skipped (e.g. npm ci --ignore-scripts).
+            sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && for patch in scripts/patch-*.mjs; do node \"\$patch\"; done"'
+
             # Ensure env file exists and contains auth secrets required by start.sh.
             sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && test -f .env"'
             sudo bastille cmd node sh -lc 'su -l indiekit -c "cd /usr/local/indiekit && if ! grep -Eq \"^SECRET=.*\" .env; then echo \"Missing SECRET in /usr/local/indiekit/.env\"; exit 1; fi; if ! (grep -Eq \"^PASSWORD_SECRET=.*\" .env || grep -Eq \"^INDIEKIT_ALLOW_PASSWORD_SETUP=1\" .env); then echo \"Missing PASSWORD_SECRET (or set INDIEKIT_ALLOW_PASSWORD_SETUP=1 for one-time recovery) in /usr/local/indiekit/.env\"; exit 1; fi"'