From 8205757a6fdb0c969e529fcb34f6c175e0c5cd06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey?= <corey@x64.co>
Date: Mon, 30 Oct 2023 10:37:03 -0700
Subject: [PATCH 1/4] Document permissions

---
 README.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/README.md b/README.md
index 4a33c56..7044a86 100644
--- a/README.md
+++ b/README.md
@@ -54,6 +54,24 @@ jobs:
 
 See [`action.yml`](./action.yml).
 
+## Permissions
+
+Running this action requires the following permissions:
+
+```yaml
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+```
+
+These are required to be explicitly set for repositories with [restricted
+default access][perms] for workflows or to allow a workflow run triggered by
+Dependabot pull requests, which are run as if they are from a forked
+repository and use a read-only `GITHUB_TOKEN`.
+
+[perms]: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+
 ## Additional Options
 
 You can also match based on specific file changes by supplying the

From e3a4ce7d93707fb506be5f5911b778f82a41f547 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey?= <corey@x64.co>
Date: Mon, 30 Oct 2023 11:00:23 -0700
Subject: [PATCH 2/4] Remove unnecessary `id-token` permission

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index 7044a86..e6e07a9 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,6 @@ Running this action requires the following permissions:
 
 ```yaml
 permissions:
-  id-token: write
   contents: read
   pull-requests: write
 ```

From b2adc658e983902228b9b69d141cb99a5c0f1b88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey?= <corey@x64.co>
Date: Mon, 30 Oct 2023 11:32:37 -0700
Subject: [PATCH 3/4] Example workflow

---
 .github/commenter.yml         | 21 +++++++++++++++++++++
 .github/workflows/example.yml | 13 +++++++++++++
 2 files changed, 34 insertions(+)
 create mode 100644 .github/commenter.yml
 create mode 100644 .github/workflows/example.yml

diff --git a/.github/commenter.yml b/.github/commenter.yml
new file mode 100644
index 0000000..4950adb
--- /dev/null
+++ b/.github/commenter.yml
@@ -0,0 +1,21 @@
+Backend:
+  where:
+    path:
+      matches: "backend/**/*"
+  body: |
+    :wave: You've changed Backend code, please:
+
+    - [ ] Do this
+    - [ ] And this
+    - [ ] And that
+
+Frontend:
+  where:
+    path:
+      matches: "frontend/**/*"
+  body: |
+    :wave: You've changed Frontend code, please:
+
+    - [ ] Do this
+    - [ ] And this
+    - [ ] And that
diff --git a/.github/workflows/example.yml b/.github/workflows/example.yml
new file mode 100644
index 0000000..b15722a
--- /dev/null
+++ b/.github/workflows/example.yml
@@ -0,0 +1,13 @@
+name: Example
+
+on:
+  pull_request:
+    types: [opened]
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/commenter@v1
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"

From ecd30b67ebe3e8ca01b008d9990441d0a85854b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=9C=BF=20corey?= <corey@x64.co>
Date: Mon, 30 Oct 2023 11:32:43 -0700
Subject: [PATCH 4/4] Add integration job to CI with minimal permissions

---
 .github/workflows/ci.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1650d18..e281f1f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,3 +18,14 @@ jobs:
       - run: npm install
       - run: npm run build
       - run: npm test
+  
+  integration:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+    - uses: actions/checkout@v4
+    - uses: ./
+      with:
+        repo-token: "${{ secrets.GITHUB_TOKEN }}"