fix(deploy-static-site): inject NOMAD_ADDR via runner, use shared nomad/jobs var

Remove hardcoded nomad-addr input — NOMAD_ADDR is now injected by the
Forgejo runner via container.options using host.docker.internal.

Switch Nomad Variable path from static-sites/s3 to nomad/jobs so all
jobs in the namespace can read it without explicit ACL policies.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

deploy-static-site/action.yaml

@@ -2,6 +2,7 @@ name: Deploy Static Site
 description: Build site with Nix, push tarball to S3, deploy via Nomad with shared static-server image
 
 # Required env vars: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, NOMAD_TOKEN
+# NOMAD_ADDR is injected by the Forgejo runner via container.options
 # Optional env vars: NIX_SIGNING_KEY (if set, signs and pushes Nix closure to S3 binary cache)
 
 inputs:
@@ -14,11 +15,6 @@ inputs:
     required: false
     default: 'default'
 
-  nomad-addr:
-    description: 'Nomad API address'
-    required: false
-    default: 'http://172.17.0.1:4646'
-
   server-image:
     description: 'OCI image for the static server'
     required: false
@@ -85,7 +81,6 @@ runs:
           --expr "import \"${{ github.action_path }}/nomad-job.nix\"" \
           | nomad job run -json -
       env:
-        NOMAD_ADDR: ${{ inputs.nomad-addr }}
         DOMAIN: ${{ inputs.domain }}
         SITE_HASH: ${{ env.SITE_HASH }}
         SERVER_IMAGE: ${{ env.SERVER_IMAGE_PINNED }}

deploy-static-site/nomad-job.nix

@@ -14,7 +14,7 @@ let
     "exec static-web-server --port 8080 --root /var/www";
 
   templateData =
-    "{{ with nomadVar \"static-sites/s3\" }}" +
+    "{{ with nomadVar \"nomad/jobs\" }}" +
     "AWS_ACCESS_KEY_ID={{ .access_key }}\n" +
     "AWS_SECRET_ACCESS_KEY={{ .secret_key }}\n" +
     "AWS_ENDPOINT_URL={{ .endpoint }}\n" +