Currently the README.md briefly mentions that alert-lookup needs a personal access token, but it doesn't specify what permissions are actually needed. It would be good to enhance that with a bit more detail such as:

This requires using a personal access token with the public_repo and security_events scopes. It is also necessary to give the user (whose personal access token is being used) access to view security alerts (see
Granting access to security alerts)

I'd initially assumed that I should just be able to use the built-in support for enhancing the default access token using the permissions: directive in GitHub Actions (as per the doc)

permissions:
  security-events: read

I assume this doesn't work because of the bit above about "granting access to security alerts", but it would be good to clarify that in the README and ideally raise the issue with GitHub Support, because it would be much cleaner if you could just do this rather than having to manage and rotate dedicated personal-access credentials for this

👋 Sorry for the slow reply.

The behavior around alert lookup changed recently.

So by default anyone with write/maintain access to the repo will have access (I assume under the security_events scope)...

Rather than writing this all up in the readme, what we need here is to update the relevant GitHub docs:

1. the granting access to alerts doc needs to be updated to reflect the new more permissive permissions
2. the relevant API docs need to clarify what scopes are needed.

Thanks to your reporting this, I've reached out to the relevant teams to update the docs, and once that happens, then it should be straightforward to link to those from the readme.... that will be a lot more maintainable over time to link out rather than describing everything here in our readme.