From c8a666accc891e2b8107604d4406788bf585a650 Mon Sep 17 00:00:00 2001
From: Jamie Tanna <github@jamietanna.co.uk>
Date: Wed, 2 Feb 2022 15:43:53 +0000
Subject: [PATCH] Clarify `permissions` required to use Action

As a means to reduce the privileges provided to the job executing, we
can document what the minimal `permissions` required for the Actions'
`GITHUB_TOKEN` is.
---
 README.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2abc38b7..03da8c83 100644
--- a/README.md
+++ b/README.md
@@ -95,6 +95,9 @@ on:
 
 jobs:
   triage:
+    permissions:
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/labeler@v3
@@ -110,7 +113,7 @@ Various inputs are defined in [`action.yml`](action.yml) to let you configure th
 
 | Name | Description | Default |
 | - | - | - |
-| `repo-token` | Token to use to authorize label changes. Typically the GITHUB_TOKEN secret | N/A |
+| `repo-token` | Token to use to authorize label changes. Typically the GITHUB_TOKEN secret, with `contents:read` and `pull-requests:write` access | N/A |
 | `configuration-path` | The path to the label configuration file | `.github/labeler.yml` |
 | `sync-labels` | Whether or not to remove labels when matching files are reverted or no longer changed by the PR | `false`