site-publish: default S3 endpoint to garage-s3 (data-only Service)

The existing garage Service round-robined S3 across all three garage pods,
including the gateway. The gateway pod uses an emptyDir for /data, so its
in-memory auth table is unreliable after restart — site-publish runs hit
intermittent 'Forbidden: No such key' errors during aws s3 sync.

The new garage-s3 Service in fritzlab/apps@d9aa376 selects only
garage-role=data pods (nas001 + nas002), bypassing the gateway entirely.

action.yaml

@@ -11,9 +11,12 @@ inputs:
     description: Garage ci-deploy-key secret access key
     required: true
   s3-endpoint:
+    # Targets garage-s3 (data-only Service) so requests do not round-robin onto
+    # the gateway pod, whose emptyDir-backed metadata view intermittently
+    # returns "No such key" through the S3 API.
     description: Garage S3 endpoint URL
     required: false
-    default: http://garage.storage.svc:3900
+    default: http://garage-s3.storage.svc:3900
   garage-admin-token:
     description: Garage admin API token (required only when site.yaml has aliases — used to reconcile bucket globalAliases)
     required: false

scripts/utils.py

@@ -12,7 +12,7 @@ from jinja2 import Environment, FileSystemLoader
 APPS_REPO = "fritzlab/apps"
 GITEA_HOST = "code.fritzlab.net"
 NAMESPACE = "websites"
-DEFAULT_S3_ENDPOINT = "http://garage.storage.svc:3900"
+DEFAULT_S3_ENDPOINT = "http://garage-s3.storage.svc:3900"
 
 EXCLUDE_FILES = {
     ".git", ".gitea", ".gitignore", "site.yaml",