Token permissions confusion

[jasonkarns]

Type of issue

other

Description

The readme seems to show conflicting information regarding the permissions necessary for the token.

In the sample workflow it indicates security-events: write is required for all workflows. (as opposed to private repo workflows).

But under the token docs, it contradicts that statement:

Token with the public_repo scope for public repositories only.

Describe the solution you'd like

Through trial and error it became clear that security-events: write is indeed necessary for public repos. (contradicting the docs for token in the readme) But only if using the action itself to upload? One could skip the upload, or use github's own codeql action to upload which would presumably only require contents: read for this action?

Either way, I think this confusion could be cleared up a bit.

[jamacku]

Thank you for reporting this documentation issue. It's indeed misleading.

security-events: write is required for all workflows. Unfortunately, the token section of the documentation wasn't updated accordingly.

[jamacku]

@jasonkarns, I would appreciate your review on:

• Update token permissions documentation 🗝️  #418

Thank you