feat: add info about GITHUB_TOKEN

tasks/009-deploying-to-github-pages.md

@@ -362,6 +362,7 @@ Your task is to create a deployment workflow for this workshop!
 
 1. Create a new workflow file `.github/workflows/deploy.yml`
 2. The workflow should:
+
    - Trigger on pushes to the `main` branch
    - Build the site using `npm run build`
    - Deploy the `dist/` directory to GitHub Pages
@@ -370,6 +371,7 @@ Your task is to create a deployment workflow for this workshop!
    - Use the `github-pages` environment for the deploy job
 
 3. Before running the workflow:
+
    - Configure GitHub Pages in repository settings (Settings → Pages → Source: "GitHub Actions")
 
 4. After the workflow runs:
@@ -551,3 +553,12 @@ Your workshop is now live and automatically updates with every change! 🎉
 - [Workflow Permissions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions)
 
 [Next Lesson: Lesson 10 - Matrices](010-matrices.md)
+
+<!--
+Add:
+You might ask yourself, how do we deploy without a token? Is there no security here?? Each workflow will be issued a short-lived token. This token can be used to authenticate API requests and is scoped to the permissions defined in the workflow. This means that even if someone were to intercept this token, they would only be able to perform actions that the workflow is permitted to do, and only for a limited time.
+
+The token can be accessed in your workflow using the `${{ secrets.GITHUB_TOKEN }}` variable. This token is automatically generated by GitHub for each workflow run, so you don't need to create or manage it manually.
+
+The token only has read permissions to the repository by default. If your workflow needs to perform write operations, such as pushing code or creating releases, you must explicitly set the required permissions in your workflow file.
+-->