DOC Add note about permissions to readme

README.md

@@ -21,10 +21,15 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   ci:
     name: CI
     uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1
+    permissions:
+      pull-requests: read
+      contents: write
 ```
 
 #### Running on a regular schedule
@@ -35,15 +40,27 @@ on:
   schedule:
   - cron: '0 0 * * 1'
 
+permissions: {}
+
 jobs:
   ci:
     name: CI
     # Only run the cron on the account hosting this repository, not on the accounts of forks
     # Change '<account_name>' to match the name of the account hosting this repository
     if: (github.event_name == 'schedule' && github.repository_owner == '<account_name>') || (github.event_name != 'schedule')
     uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1
+    permissions:
+      pull-requests: read
+      contents: write
 ```
 
+> [!WARNING]
+> Note that the `contents: write` permission won't be used in third-party repositories, but still needs to be defined. This permission is required by [silverstripe/gha-tag-release](https://github.com/silverstripe/gha-tag-release) which will be skipped in all repositories which are not commercially supported or not in the "silverstripe" GitHub organisation.
+>
+> To ensure you protect yourself from malicious actors, I recommend you set the "Fork pull request workflows from outside collaborators" setting in `https://github.com/<org>/<repo>/settings/actions` to one of
+> - Require approval for first-time contributors
+> - Require approval for all outside collaborators
+
 #### Job configuration
 
 Set config specific to your needs via "inputs" defined under the `with:` key. For instance, to disable PHP linting because your module does not yet have a `phpcs.xml.dist` file