From fd231671b2851ed88cc6ca3211df7779ceb70d13 Mon Sep 17 00:00:00 2001
From: Matthew Peveler <matt.peveler@gmail.com>
Date: Wed, 27 Oct 2021 17:56:37 -1000
Subject: [PATCH] Limit GITHUB_TOKEN scope for workflows (#1522)

---
 .github/workflows/deploy.yml     |  3 +++
 .github/workflows/dev_deploy.yml | 28 +++++++++++++++++++---------
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 1b3dfbd..f314c6b 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -6,6 +6,9 @@ on:
 
 jobs:
   deploy:
+    permissions:
+      contents: write
+
     runs-on: ubuntu-latest
     env:
       ruby-version: 2.5
diff --git a/.github/workflows/dev_deploy.yml b/.github/workflows/dev_deploy.yml
index 9262098..198640a 100644
--- a/.github/workflows/dev_deploy.yml
+++ b/.github/workflows/dev_deploy.yml
@@ -5,7 +5,25 @@ on:
     branches: [ 'dev' ]
 
 jobs:
-  deploy:
+  push_to_registry:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v2
+
+    - name: Push to Docker Hub
+      uses: docker/build-push-action@v1
+      with:
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_ACCESS_KEY }}
+        repository: slatedocs/slate
+        tag_with_ref: true
+  
+  deploy_gh:
+    permissions:
+      contents: write
+
     runs-on: ubuntu-latest
     env:
       ruby-version: 2.5
@@ -33,14 +51,6 @@ jobs:
 
     - run: bundle exec middleman build
 
-    - name: Push to Docker Hub
-      uses: docker/build-push-action@v1
-      with:
-        username: ${{ secrets.DOCKER_USERNAME }}
-        password: ${{ secrets.DOCKER_ACCESS_KEY }}
-        repository: slatedocs/slate
-        tag_with_ref: true
-
     - name: Deploy
       uses: peaceiris/actions-gh-pages@v3.7.0-8
       with: