docs: clarify GITHUB_TOKEN permissions needed for private repos

[pankajtaneja5]

What

• Add a short subsection showing the additional job-level read permissions often needed when running Scorecard Action on private repositories (issues, pull-requests, checks), alongside the existing guidance for id-token/security-events.
• Include a minimal YAML example and brief rationale.

Why

• Without these, private repos can hit Resource not accessible by integration during GraphQL ListCommits and miss SAST detection. See Suggested GITHUB_TOKEN permissions in docs not sufficent to run on (at least) private repo's #1248.

Notes

• Keeps least-privilege: adds only read scopes needed for the job; write scopes are limited to security-events (SARIF) and id-token (if publishing).

Fixes #1248

[pankajtaneja5]

Hi maintainers — this PR clarifies GITHUB_TOKEN read permissions needed for private repos (per #1248 ) and adds a minimal YAML example plus rationale. It’s a docs-only change; DCO is passing. When you have a moment, could a docs/Action maintainer take a look and (if appropriate) add a documentation label? Thanks!
cc @spencerschrock @laurentsimon

[spencerschrock]

Thanks for the contribution, just a question or two

[spencerschrock]

You can probably omit the steps section. We tend to recommend SHA pinning, so don't want to have conflicting guidance. The important thing for this doc section is just the job level permissions block

[pankajtaneja5]

Good call—done. I removed the entire steps block so this section shows only the job-level permissions example.

[spencerschrock]

Out of curiosity, did you test if actions: read was necessary? I see it's marked optional?

[pankajtaneja5]

I tested on a private repo with default read permissions and Scorecard runs fine without actions: read. It’s not required by the action; only add it if a workflow step explicitly reads Actions metadata. I’ve removed actions: read from the example to keep it minimal.

[justaugustus]

Thanks for this docs improvement, @pankajtaneja5!