Best practice for protection of the gh-pages branch?

[James-Oswald]

By default, the gh-pages branch created by this action is unprotected. What are best practices for protecting the branch? Is it possible to allow only the GH action to modify the gh-pages branch, and if so, how?

[peaceiris]

Yes, the branch protection rules are helpful for that use case.

Restrict who can push to matching branches: Specify people, teams, or apps allowed to push to matching branches. Required status checks will still prevent these people, teams, and apps from merging if the checks fail.

https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#restrict-who-can-push-to-matching-branches

The first choice is creating a personal access token for the github_token input and adding a user who owns the PAT to that setting. The best is creating a GitHub App, adding the app to that setting, and generating a token with actions/create-github-app-token to deploy.