Need to tweak it a bit, but the site is now deployed via git hooks. Specifically, the site is built server-side in a small ubuntu-based container.

• code is pushed.
• post-receive hook makes note of branch, site directory, and git repository.
• post-receive hook injects that information into the container as environment variables, along with setting up all the proper bind mounts.
• the entrypoint.sh script in the container clones the proper branch of the site code repository into a temporary site-source directory.
• hugo builds the site source and sends it to the proper destination based on the aforementioned branch information.

It’s not that complicated, but getting all the UID/GID issues sorted out was a pain in the ass. The build runs as the web server system user so it can’t clobber anything it’s not supposed to. If there’s one thing that absolutely sucks about containers and namespaces it’s all the hoops you have to jump through to get security right. May check out podman in the future.