install hugo from debian or a more trusted location
since the epic "updates to the layout" commit (d7506aca), hugo has been installed through npm. i think it's a bad idea for "supply chain" reasons: we should reduce the number of upstreams and intermediates we rely on.
before that broken change was fixed, we were using the hugo image to build the site, now we're using some node js image. i tried to use a debian image after the revert, and that seemed to work well. so pending work to use a npm-specific image (tpo/tpa/base-images#10 (closed)), i think we could just use a debian image, install npm and hugo, and build the site from there.
(and even with a node image, that won't have hugo built-in, so we'd still be stuck with a problem like this, although we could probably install hugo from debian if the image is based on debian.)