Document GitHub fine-grained personal token permissions

[Siilwyn]

Thoughts on adding needed permissions to the readme?

After some trial and error it seems that the 'new' personal access tokens need the following permissions:

[davidar]

You can also use GITHUB_TOKEN with these permissions:

permissions: 
   contents: read 
   pull-requests: write 
   deployments: write

[Siilwyn]

@davidar oh that's possibly a lot better! No more generating tokens on a 'bot' GH account. Are there any downsides to this? I don't see it mentioned in the readme.
Guess the GH PR comment author would be 'less nice'?

[davidar]

I haven't noticed any downsides, it just means the comments come from the "github-actions" bot

[pm0u]

You can also use GITHUB_TOKEN with these permissions:

permissions: 
   contents: read 
   pull-requests: write 
   deployments: write

is this a yaml config that we set somewhere or are you just noting the permissions needed when creating the fine grained token?

Edit: got it, hadn't seen this before:
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

then you can just use the secret without having to generate anything
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow