The more I've used Actions, the more I have come to two conclusions:
1) It's generally better to just do things with legacy tooling and your own scripts, than it is to pull in community actions
2) GitHub badly needs to implement tightly scoped tokens. GITHUB_TOKEN has a completely fixed and unmodifiable scope, and if you need to give a workflow an OAuth token to perform some other operation, your only choice is to give it a full read-write token for all of the repositories the token's user can access. You can't even scope a token to a single repo, let alone make one that's read-only, or limited to, say, commenting.
GP, and I agree, wants tokens to be scoped to repos, not to activities.
Your link describes how you can limit the things you can do with a token. But GitHub doesn’t allow limiting where you can do those things.
It’s annoying and I wish they would fix this. If you work on lots of repos across lots of orgs, this is a big vulnerability. I get the heebee-jeebies whenever I have to grant permission on something because if I make a mistake it could hose lots of things.
1) It's generally better to just do things with legacy tooling and your own scripts, than it is to pull in community actions
2) GitHub badly needs to implement tightly scoped tokens. GITHUB_TOKEN has a completely fixed and unmodifiable scope, and if you need to give a workflow an OAuth token to perform some other operation, your only choice is to give it a full read-write token for all of the repositories the token's user can access. You can't even scope a token to a single repo, let alone make one that's read-only, or limited to, say, commenting.