The deployment of static websites via GitHub Actions has evolved from a simple utility into a critical component of modern developer workflows, requiring precise configuration to maintain stability and security. The peaceiris/actions-gh-pages action remains a dominant force in this ecosystem, supporting a wide array of static site generators including Hugo, MkDocs, Gatsby, mdBook, Next, and Nuxt. However, maintaining these workflows demands rigorous attention to version pinning, authentication protocols, and, most critically, adherence to GitHub’s evolving infrastructure policies regarding artifact management. As of late 2024 and into 2025, the landscape is shifting due to the deprecation of legacy artifact actions, necessitating immediate updates to deployment pipelines to prevent operational failures.
Authentication Mechanisms and Token Privileges
Authentication is the foundational layer of any deployment action, and peaceiris/actions-gh-pages supports three distinct methods, each with specific use cases and limitations. Understanding the nuances between these methods is essential for both public and private repository management.
github_token: This is the default and most convenient option. A GitHub Actions runner automatically creates aGITHUB_TOKENsecret to authenticate the workflow. It supports HTTPS protocols for both private and public repositories without any additional setup. However, it carries significant limitations, particularly regarding the first deployment. For initial deployments, thegh-pagesbranch (or an alternative branch) must be manually selected in the repository settings tab. Furthermore, the automatically generatedGITHUB_TOKENmay not inherently possess the push or publish privileges required for certain complex deployment scenarios, especially when dealing with private repositories or specific branch protections.deploy_key: This method utilizes SSH keys for authentication. It is supported for both private and public repositories but requires explicit setup. Users must generate an SSH key pair using the commandssh-keygen -t rsa -b 4096 -C "$(git config user.email)" -f gh-pages -N "". This generates two files:gh-pages.pub(the public key) andgh-pages(the private key). The public key must be added to the repository's "Deploy Keys" section with write access enabled. The private key must then be added to the repository's "Secrets" asACTIONS_DEPLOY_KEY. This method is often recommended for scenarios whereGITHUB_TOKENprivileges are insufficient.personal_token: This method uses a Personal Access Token (PAT) over HTTPS. It supports both private and public repositories but requires manual setup of the token in the repository secrets. While flexible, it introduces additional security overhead by requiring long-lived credentials that must be managed and rotated manually.
| Token Type | Private Repo Support | Public Repo Support | Protocol | Setup Required |
|---|---|---|---|---|
github_token |
Yes | Yes | HTTPS | None |
deploy_key |
Yes | Yes | SSH | Yes |
personal_token |
Yes | Yes | HTTPS | Yes |
It is critical to note that the GITHUB_TOKEN is not a personal access token. It is ephemeral and scoped to the repository. For workflows requiring advanced permissions or cross-repository deployment, deploy_key or personal_token are necessary alternatives.
Version Pinning and Workflow Stability
A common misconfiguration in GitHub Actions workflows involves referencing actions by branch name, such as peaceiris/actions-gh-pages@main. This practice is strongly discouraged because major releases, which may contain breaking changes, could be pulled into the workflow silently during routine CI runs. This can lead to unexpected deployment failures or security vulnerabilities.
To ensure stability, workflows must pin the action to a specific version tag or commit hash. Using a semantic version tag, such as peaceiris/actions-gh-pages@v4, is considered a best practice. For maximum stability, pinning to a specific commit hash, such as peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 (corresponding to v3.9.3), is recommended. This ensures that the workflow will always execute with the exact code version verified at the time of configuration.
Verification of release assets can be performed locally to ensure integrity:
git clone https://github.com/peaceiris/actions-gh-pages.git
cd ./actions-gh-pages
git checkout v3.9.3
nvm install
nvm use
npm i -g npm
npm ci
npm run build
git diff ./lib/index.js
If the git diff command returns a zero exit code, the local build matches the published version, confirming the integrity of the release.
Deployment Configuration and Asset Management
The action provides several configuration options to control how assets are deployed to the target branch. By default, the action deploys to the root of the publishing branch. However, users can specify a destination_dir to place assets in a subdirectory. For example, setting destination_dir: subdir will deploy all assets into a folder named subdir on the gh-pages branch. This feature is currently in beta, and feedback is encouraged via issue tracking systems.
Excluding specific files or directories from the deployment is managed via the exclude_assets parameter. By default, the .github directory is excluded. Users can customize this list by providing a comma-separated string of paths or glob patterns. For instance:
- name: Deploy
uses: peaceiris/actions-gh-pages@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
exclude_assets: '.github,exclude-file.txt,exclude-dir/**.txt'
To include the .github directory in the deployment, users can set exclude_assets to an empty string: exclude_assets: ''. Note that when including .github, the github_token may not work due to permission limitations; in such cases, deploy_key or personal_token is recommended.
Custom domain configuration is handled via the cname option or by placing a CNAME file directly into the publish_dir. After deployment, users can verify the presence of tags on the gh-pages branch by running:
git fetch origin
git tag
This will display tags such as deploy-v1.2.3 on the gh-pages branch and v1.2.3 on the main branch, facilitating version tracking and rollback capabilities.
Cross-Platform Compatibility
The peaceiris/actions-gh-pages action is designed to operate across multiple runner environments. It supports Linux (Ubuntu), macOS, and Windows runners. Compatibility varies slightly by operating system and authentication method.
| Runner | github_token |
deploy_key |
personal_token |
|---|---|---|---|
ubuntu-22.04 |
Supported | Supported | Supported |
ubuntu-20.04 |
Supported | Supported | Supported |
ubuntu-latest |
Supported | Supported | Supported |
macos-latest |
Supported | Supported | Supported |
windows-latest |
Supported | Limited | Supported |
Support for GitHub Enterprise Server (GHES) is available for versions 2.22.6 and above. Users should verify their server version to ensure compatibility with the latest action features.
Deprecation of Legacy Artifact Actions
A critical development affecting GitHub Pages deployments is the deprecation of actions/upload-artifact and actions/download-artifact actions. GitHub announced that these legacy actions will be deprecated and no longer supported on GitHub.com after January 30, 2025. They are being replaced by v4 versions of the artifact actions, which offer improved performance and new features.
This change directly impacts custom GitHub Pages workflows that rely on intermediate artifact storage for build outputs. Workflows must be updated to use the v4 versions of the upload and download artifact actions. Failure to update before the deadline will result in deployment failures. This change does not affect GitHub Enterprise Server instances, which continue to operate on their own update schedules.
For workflows using static site generators like Hugo, the standard deployment pattern often involves building the site and then deploying the output directory. An example of a compliant workflow structure is:
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Setup Hugo
uses: peaceiris/actions-hugo@v2
with:
hugo-version: '0.110.0'
- name: Build
run: hugo --minify
- name: Deploy
uses: peaceiris/actions-gh-pages@v4
if: github.ref == 'refs/heads/main'
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./public
In this example, the peaceiris/actions-gh-pages@v4 action directly deploys the ./public directory generated by the Hugo build. This direct deployment method avoids the need for intermediate artifact storage, thereby bypassing the deprecation issue entirely. However, if a workflow requires artifact storage for caching or cross-step data transfer, the actions/upload-artifact@v4 and actions/download-artifact@v4 actions must be used.
Conclusion
The maintenance of GitHub Pages deployments via peaceiris/actions-gh-pages requires a strategic approach to authentication, version control, and compliance with GitHub’s evolving infrastructure standards. While the action provides robust support for multiple static site generators and authentication methods, the deprecation of legacy artifact actions necessitates immediate action from developers relying on intermediate storage steps. Pinning action versions to specific tags or commits is essential for workflow stability, and careful consideration of token privileges is required to avoid deployment failures. As the ecosystem shifts toward v4 artifact actions, developers must audit their workflows to ensure continued operational integrity and security.