Given that this project can use the GITHUB_TOKEN, I think the README should include the minimum necessary permissions for the actions to run successfully. Something like this

permissions:
  actions: none
  checks: none
  contents: none
  deployments: none
  issues: write
  packages: none
  pull-requests: write
  repository-projects: write
  security-events: none
  statuses: none

(assuming this is the correct minimum permissions filter for the operation of the action)

Thought I'd chime in here. I was able to get away with an even more minimal permission. I'm adding PRs to a repo project board. Since the action uses the event data to know which PR it is, it doesn't need to make any requests for it (ie pull-requests: none). I assume this would be similar for issues.

My permissions were as follows (Omitting permissions will default most of them to none):

permissions:
  repository-projects: write