From beb779bf2267bb1c0ac81cb31db729cdfcc963aa Mon Sep 17 00:00:00 2001
From: Josh Buker <accounts+github@joshbuker.com>
Date: Sat, 5 Oct 2024 14:03:54 +0000
Subject: [PATCH] Update README to include bit about permissions near the top
 (#496)

Currently the info about permissions is below the fold, and I missed it when implementing the action for my own projects.

Signed-off-by: Josh Buker <git-commit@joshbuker.com>
---
 README.md | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/README.md b/README.md
index 5c615d72..1990d88e 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,17 @@ and upload a workflow artifact SBOM in SPDX format. It will also detect
 if being run during a [GitHub release](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases)
 and upload the SBOM as a release asset.
 
+> [!IMPORTANT]
+> To upload the SBOM to releases, you will need to give the action permission to read the artifact from the action, and write it to the release:
+> ```yaml
+> jobs:
+>  build:
+>    permissions:
+>      actions: read
+>      contents: write
+>    steps:
+> ```
+
 ## Example Usage
 
 ### Scan a container image