diff --git a/.github/workflows/deploy-fastn-com.yml b/.github/workflows/deploy-fastn-com.yml
index 223ebb980..e1b0aa3b4 100644
--- a/.github/workflows/deploy-fastn-com.yml
+++ b/.github/workflows/deploy-fastn-com.yml
@@ -5,11 +5,10 @@ on:
   push:
     branches: [ main ]
 
-permissions:
-  id-token: write   # This is required for requesting the JWT
-  contents: read    # This is required for actions/checkout
-
 jobs:
+  env:
+    # https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions
+    FIFTHTRY_SITE_WRITE_TOKEN: ${{ secrets.FIFTHTRY_SITE_WRITE_TOKEN }}
   build:
     runs-on: ubuntu-latest
     steps:
@@ -20,4 +19,5 @@ jobs:
           rm .gitignore # so that `fastn upload` uploads .packages/ too
           cd fastn.com
           echo "Using $(fastn --version) to upload fastn.com to FifthTry"
+          # Requires FIFTHTRY_SITE_WRITE_TOKEN to be set
           fastn upload fastn >> $GITHUB_STEP_SUMMARY