diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..44397bd
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,30 @@
+name: Deploy
+
+on: 
+  push:
+    branches:
+      - main
+
+jobs:
+  Configure-GCP-Project:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      - uses: 'google-github-actions/auth@v1'
+        with:
+          credentials_json: '${{ secrets.GCP_DEPLOYER_SA }}'
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.1.4
+
+      - name: Build image and push
+        env:
+          GOOGLE_CREDENTIALS: ${{ secrets.GCP_DEPLOYER_SA }}
+        run: |
+          mkdir matthewlymer.github.io/.jekyll-cache
+          make -C ./deploy push
diff --git a/Makefile b/Makefile
deleted file mode 100644
index aa43fd9..0000000
--- a/Makefile
+++ /dev/null
@@ -1,34 +0,0 @@
-DOCKER_TAG := latest
-DOCKER_REGISTRY_DOMAIN := gcr.io
-DOCKER_IMAGE := $(DOCKER_REGISTRY_DOMAIN)/matthewlymer-lymersite/httpd:$(DOCKER_TAG)
-
-JEKYLL_VERSION=3.8
-
-.PHONY: list
-list:
-	@LC_ALL=C $(MAKE) -pRrq -f $(lastword $(MAKEFILE_LIST)) : 2>/dev/null | awk -v RS= -F: '/(^|\n)# Files(\n|$$)/,/(^|\n)# Finished Make data base/ {if ($$1 !~ "^[#.]") {print $$1}}' | sort | egrep -v -e '^[^[:alnum:]]' -e '^$@$$'
-
-.PHONY: clean
-clean:
-	rm -r ${PWD}/matthewlymer.github.io/_site
-
-.PHONY: build
-build: clean
-	docker run -it --rm \
-	--env "JEKYLL_ENV=production" \
-	--env "JEKYLL_DATA_DIR=/srv/matthewlymer.github.io" \
-	--volume="${PWD}/.git:/srv/.git:Z" \
-	--volume="${PWD}/matthewlymer.github.io:/srv/matthewlymer.github.io:Z" \
-	--volume="${PWD}/.jekyll/bundle:/usr/local/bundle:Z" \
-	--workdir "/srv/matthewlymer.github.io" \
-	jekyll/jekyll:$(JEKYLL_VERSION) \
-	jekyll build
-
-.PHONY: docker-build
-docker-build: 
-	docker build --tag "$(DOCKER_IMAGE)" --file "./containers/httpd/Dockerfile" .
-
-.PHONY: docker-push
-docker-push: docker-build
-	gcloud auth configure-docker "$(DOCKER_REGISTRY_DOMAIN)" --quiet
-	docker push "$(DOCKER_IMAGE)"
diff --git a/containers/httpd/Dockerfile b/containers/httpd/Dockerfile
index b927584..ecb48b3 100644
--- a/containers/httpd/Dockerfile
+++ b/containers/httpd/Dockerfile
@@ -16,7 +16,7 @@ COPY .git ../.git
 
 RUN mkdir /output && chown jekyll /output
 
-RUN JEKYLL_ENV=production jekyll build --destination /output
+RUN JEKYLL_ENV=production jekyll build --trace --destination /output
 
 FROM httpd:2.4
 
diff --git a/deploy/Makefile b/deploy/Makefile
index 7de5c2d..b066a18 100644
--- a/deploy/Makefile
+++ b/deploy/Makefile
@@ -1,10 +1,16 @@
 DOCKER_TAG:=$(shell git rev-parse HEAD)
-DOCKER_REGISTRY_DOMAIN:=gcr.io
-DOCKER_IMAGE:=$(DOCKER_REGISTRY_DOMAIN)/matthewlymer-lymersite/httpd:$(DOCKER_TAG)
+DOCKER_REGISTRY_DOMAIN:=us-central1-docker.pkg.dev
+DOCKER_IMAGE:=$(DOCKER_REGISTRY_DOMAIN)/matthewlymer-lymersite/default/httpd:$(DOCKER_TAG)
 
 .PHONY: build
 build:
-	docker build --platform=linux/amd64 --tag $(DOCKER_IMAGE) --file "../containers/httpd/Dockerfile" ../
+	docker buildx build \
+		--tag=$(DOCKER_IMAGE) \
+		--cache-to type=gha,mode=max \
+		--cache-from type=gha \
+		--platform=linux/amd64 \
+		--file="../containers/httpd/Dockerfile" \
+		../
 
 .PHONY: push
 push: build
diff --git a/deploy/project/README.md b/deploy/project/README.md
new file mode 100644
index 0000000..a5fffdc
--- /dev/null
+++ b/deploy/project/README.md
@@ -0,0 +1,9 @@
+# Required github personal-access-token configuration
+https://github.com/settings/tokens
+
+Repos:
+  - lymersite
+
+Permissions:
+  - Read access to metadata
+  - Read and Write access to administration, environments, and secrets
diff --git a/deploy/project/deployer-sa.tf b/deploy/project/deployer-sa.tf
index 83f5590..a2b0291 100644
--- a/deploy/project/deployer-sa.tf
+++ b/deploy/project/deployer-sa.tf
@@ -4,8 +4,8 @@ resource "google_service_account" "github_actions_deployer" {
   display_name = "GitHub Actions deployer"
 }
 
-resource "google_storage_bucket_iam_member" "github_actions_deployer" {
-  bucket = "artifacts.${local.project.id}.appspot.com"
+resource "google_storage_bucket_iam_member" "github_actions_deployer_tfstate_admin" {
+  bucket = "490635812867-tfstate"
   role   = "roles/storage.objectAdmin"
   member = "serviceAccount:${google_service_account.github_actions_deployer.email}"
 }
@@ -14,8 +14,10 @@ resource "google_service_account_key" "github_actions_deployer" {
   service_account_id = google_service_account.github_actions_deployer.name
 }
 
-resource "github_actions_secret" "github_actions_deployer_key" {
-  repository      = local.github.repository
-  secret_name     = "GCP_DEPLOYER_SA"
-  plaintext_value = base64decode(google_service_account_key.github_actions_deployer.private_key)
-}
\ No newline at end of file
+resource "google_artifact_registry_repository_iam_member" "github_actions_deployer_default_writer" {
+  project    = local.project.id
+  location   = google_artifact_registry_repository.default.location
+  repository = google_artifact_registry_repository.default.name
+  role       = "roles/artifactregistry.writer"
+  member     = "serviceAccount:${google_service_account.github_actions_deployer.email}"
+}
diff --git a/deploy/project/github-environment.tf b/deploy/project/github-environment.tf
new file mode 100644
index 0000000..9a885a6
--- /dev/null
+++ b/deploy/project/github-environment.tf
@@ -0,0 +1,13 @@
+# TODO: protect branch
+
+resource "github_repository_environment" "production" {
+  repository  = local.github.repository
+  environment = "production"
+}
+
+resource "github_actions_environment_secret" "github_actions_deployer_key" {
+  repository      = local.github.repository
+  environment     = github_repository_environment.production.environment
+  secret_name     = "GCP_DEPLOYER_SA"
+  plaintext_value = base64decode(google_service_account_key.github_actions_deployer.private_key)
+}
diff --git a/deploy/project/main.tf b/deploy/project/main.tf
index 65e85c6..1efea2c 100644
--- a/deploy/project/main.tf
+++ b/deploy/project/main.tf
@@ -14,7 +14,7 @@ locals {
 
 variable "github_token" {
   type        = string
-  description = "The fine grained personal access token with read/write permissions for 'Secrets' on the target repository. See https://github.com/settings/tokens"
+  description = "The fine grained personal access token"
 }
 
 variable "alerting_email" {
@@ -39,7 +39,7 @@ resource "google_project" "default" {
 
 terraform {
   backend "gcs" {
-    bucket = "490635812867-tfstate"
+    bucket = "490635812867-tfstate" # TODO: this should probably be in a different bucket for security reasons
     prefix = "matthewlymer-lymersite-project"
   }
 
@@ -48,4 +48,4 @@ terraform {
       source = "integrations/github"
     }
   }
-}
\ No newline at end of file
+}
diff --git a/deploy/project/project-services.tf b/deploy/project/project-services.tf
index 0156295..d04b99c 100644
--- a/deploy/project/project-services.tf
+++ b/deploy/project/project-services.tf
@@ -1,4 +1,4 @@
-resource "google_project_service" "container" {
+resource "google_project_service" "artifactregistry" {
   project = google_project.default.id
-  service = "container.googleapis.com"
+  service = "artifactregistry.googleapis.com"
 }
diff --git a/deploy/project/registry.tf b/deploy/project/registry.tf
new file mode 100644
index 0000000..15234d8
--- /dev/null
+++ b/deploy/project/registry.tf
@@ -0,0 +1,5 @@
+resource "google_artifact_registry_repository" "default" {
+  location      = "us-central1"
+  repository_id = "default"
+  format        = "DOCKER"
+}