From 531a0365f0a7dba0c9b3edca40968be698841761 Mon Sep 17 00:00:00 2001
From: Adrien Bernede <51493078+adrienbernede@users.noreply.github.com>
Date: Thu, 3 Jun 2021 18:11:20 -0700
Subject: [PATCH] chore: add permissions configuration in the README.md (#96)

* Mention permissions configuration in the README.md

* Apply suggestions from code review

Co-authored-by: Steven <steven@ceriously.com>

Co-authored-by: Steven <steven@ceriously.com>
---
 README.md | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 7e5287cd..deecd2d3 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,6 @@ jobs:
       # ... etc
 ```
 
-
 ### Advanced: Canceling Other Workflows
 
 In some cases, you may wish to avoid modifying all your workflows and instead create a new workflow that cancels your other workflows. This can be useful when you have a problem with workflows getting queued.
@@ -121,6 +120,29 @@ jobs:
           access_token: ${{ github.token }}
 ```
 
+### Advanced: Token Permissions
+
+No change to permissions is required by default. The instructions below are for improved control over of those permissions.
+
+By default, GitHub creates the `GITHUB_TOKEN` for Actions with some read/write permissions. It may be a good practice to switch to read-only permissions by default. Visit the [dedicated documentation page](https://docs.github.com/en/github/administering-a-repository/managing-repository-settings/disabling-or-limiting-github-actions-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository) for details.
+
+Permissions can be set for all Jobs in a Workflow or a specific Job, see the [reference manual page](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions). `cancel-workflow-action` only requires write access to the `actions` scope, so it is enough to have:
+
+```yml
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - name: Cancel Previous Runs
+        uses: styfle/cancel-workflow-action@0.9.0
+        with:
+          access_token: ${{ github.token }}
+```
+
+_Note_ : This is typical when global access is set to be restrictive. Only this job will elevate those permissions.
+
 ## Contributing
 
 - Clone this repo