From c49d2941df98e2814bc0e005ec4c6862611e5d3d Mon Sep 17 00:00:00 2001
From: Brendan <2bndy5@gmail.com>
Date: Wed, 27 Mar 2024 17:38:23 -0700
Subject: [PATCH 1/4] try updating comments on push

---
 .github/workflows/self-test.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/self-test.yml b/.github/workflows/self-test.yml
index 55d1c8b..d6082a2 100644
--- a/.github/workflows/self-test.yml
+++ b/.github/workflows/self-test.yml
@@ -2,24 +2,24 @@ name: Self test action
 
 on:
   push:
-    branches: main
-    paths:
-      - 'action.yml'
-      - 'requirements.txt'
-      - 'docs/examples/demo/**'
-      - '.github/workflows/self-test.yml'
-  pull_request:
-    branches: main
+    branches: [main, assess-push-permission]
     paths:
       - 'action.yml'
       - 'requirements.txt'
       - 'docs/examples/demo/**'
       - '.github/workflows/self-test.yml'
+  # pull_request:
+  #   branches: main
+  #   paths:
+  #     - 'action.yml'
+  #     - 'requirements.txt'
+  #     - 'docs/examples/demo/**'
+  #     - '.github/workflows/self-test.yml'
 
 jobs:
   test:
     permissions:
-      issues: write
+      contents: read
       pull-requests: write
     strategy:
       matrix:

From 6af46c204c467cd9cfd2517959e723b21f52a6e2 Mon Sep 17 00:00:00 2001
From: Brendan <2bndy5@gmail.com>
Date: Wed, 27 Mar 2024 17:42:13 -0700
Subject: [PATCH 2/4] try `contents: write` permission

---
 .github/workflows/self-test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/self-test.yml b/.github/workflows/self-test.yml
index d6082a2..5b5e19b 100644
--- a/.github/workflows/self-test.yml
+++ b/.github/workflows/self-test.yml
@@ -19,7 +19,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: read
+      contents: write
       pull-requests: write
     strategy:
       matrix:

From 35cecd4a07df97fcd2f7d5bd5c71a49dfc3a4004 Mon Sep 17 00:00:00 2001
From: Brendan <2bndy5@gmail.com>
Date: Wed, 27 Mar 2024 19:05:02 -0700
Subject: [PATCH 3/4] update docs

---
 docs/action.yml                    |  6 +--
 docs/examples/index.md             |  7 ++--
 docs/examples/only-PR-comments.yml |  8 ++--
 docs/permissions.md                | 61 +++++++++++++++++++++++-------
 docs/stylesheets/extra.css         | 22 +++++++++++
 5 files changed, 82 insertions(+), 22 deletions(-)

diff --git a/docs/action.yml b/docs/action.yml
index 0f08bce..b5a5f23 100644
--- a/docs/action.yml
+++ b/docs/action.yml
@@ -14,15 +14,15 @@ inputs:
     minimum-version: '1.3.0'
   lines-changed-only:
     minimum-version: '1.5.0'
-    required-permission: 'content: read #file-changes'
+    required-permission: 'contents: read #file-changes'
   files-changed-only:
     minimum-version: '1.3.0'
-    required-permission: 'content: read #file-changes'
+    required-permission: 'contents: read #file-changes'
   ignore:
     minimum-version: '1.3.0'
   thread-comments:
     minimum-version: '2.6.2'
-    required-permission: 'issues: write #thread-comments'
+    required-permission: 'contents: write #thread-comments'
   no-lgtm:
     minimum-version: '2.6.2'
   step-summary:
diff --git a/docs/examples/index.md b/docs/examples/index.md
index 61e361f..2191f19 100644
--- a/docs/examples/index.md
+++ b/docs/examples/index.md
@@ -31,6 +31,7 @@ Here are some example workflows to get started quickly.
     --8<-- "docs/examples/only-PR-comments.yml"
     ```
 
-    1. See also [`style`][style]
-    2. See also [`tidy-checks`][tidy-checks]
-    3. See also [`thread-comments`][thread-comments]
+    1. See also our [token permissions document](../permissions.md)
+    2. See also [`style`][style]
+    3. See also [`tidy-checks`][tidy-checks]
+    4. See also [`thread-comments`][thread-comments]
diff --git a/docs/examples/only-PR-comments.yml b/docs/examples/only-PR-comments.yml
index 1fc890b..389248e 100644
--- a/docs/examples/only-PR-comments.yml
+++ b/docs/examples/only-PR-comments.yml
@@ -10,6 +10,8 @@ on:
 jobs:
   cpp-linter:
     runs-on: ubuntu-latest
+    permissions: # (1)!
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
 
@@ -20,9 +22,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          style: 'file'  # Use .clang-format config file. (1)
-          tidy-checks: '' # Use .clang-tidy config file. (2)
-          # only 'update' a single comment in a pull request's thread. (3)
+          style: 'file'  # Use .clang-format config file. (2)
+          tidy-checks: '' # Use .clang-tidy config file. (3)
+          # only 'update' a single comment in a pull request's thread. (4)
           thread-comments: ${{ github.event_name == 'pull_request' && 'update' }}
 
       - name: Fail fast?!
diff --git a/docs/permissions.md b/docs/permissions.md
index 202108c..d10163f 100644
--- a/docs/permissions.md
+++ b/docs/permissions.md
@@ -14,26 +14,61 @@ When using [`files-changed-only`](inputs-outputs.md#files-changed-only) or
 [`lines-changed-only`](inputs-outputs.md#lines-changed-only) to get the list
 of file changes for a CI event, the following permissions are needed:
 
-```yaml
-    permissions:
-      contents: read # (1)!
-```
+=== "`#!yaml on: push`"
+
+    For [push events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push)
+
+    ```yaml
+        permissions:
+          contents: read # (1)!
+    ```
+
+    1. This permission is also needed to download files if the repository is not
+       checked out before running cpp-linter.
+
+=== "`#!yaml on: pull_request`"
+
+    For [pull_request events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request)
+
+    ```yaml
+        permissions:
+          contents: read # (1)!
+          pull-requests: read # (2)!
+    ```
 
-1. This permission is also needed to download files if the repository is not checked out before
-    running cpp-linter (for both push and pull_request events).
+    1. For pull requests, this permission is only needed to download files if
+       the repository is not checked out before running cpp-linter.
+    2. Specifying `#!yaml write` is also sufficient as that is required for
+
+        * posting [thread comments](#thread-comments) on pull requests
+        * posting [pull request reviews](#pull-request-reviews)
 
 ## Thread Comments
 
 The [`thread-comments`](inputs-outputs.md#thread-comments) feature requires the following permissions:
 
-```yaml
-    permissions:
-      issues: write # (1)!
-      pull-requests: write # (2)!
-```
+=== "`#!yaml on: push`"
+
+    For [push events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push)
+
+    ```yaml
+        permissions:
+          metadata: read # (1)!
+          contents: write # (2)!
+    ```
+
+    1. needed to fetch existing comments
+    2. needed to post or update a commit comment. This also allows us to delete
+       an outdated comment if needed.
+
+=== "`#!yaml on: pull_request`"
+
+    For [pull_request events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request)
 
-1. for [push events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#push)
-2. for [pull_request events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request)
+    ```yaml
+        permissions:
+          pull-requests: write
+    ```
 
 ## Pull Request Reviews
 
diff --git a/docs/stylesheets/extra.css b/docs/stylesheets/extra.css
index 6651c6f..65f1ada 100644
--- a/docs/stylesheets/extra.css
+++ b/docs/stylesheets/extra.css
@@ -204,3 +204,25 @@ th {
     display: block;
     max-height: none
 }
+
+/* annotation buttons' pulse animation */
+a.md-annotation__index {
+    border-radius: 2.2ch;
+}
+
+@keyframes pulse {
+    0% {
+        box-shadow: 0 0 0 0 var(--md-accent-fg-color);
+        transform: scale(.95)
+    }
+
+    75% {
+        box-shadow: 0 0 0 .625em transparent;
+        transform: scale(1)
+    }
+
+    to {
+        box-shadow: 0 0 0 0 transparent;
+        transform: scale(.95)
+    }
+}

From 5d9bc4abcfe05dd44f73ea2467b2a555abed7be8 Mon Sep 17 00:00:00 2001
From: Brendan <2bndy5@gmail.com>
Date: Wed, 27 Mar 2024 19:06:36 -0700
Subject: [PATCH 4/4] revert CI changes to test push event permissons

---
 .github/workflows/self-test.yml | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/self-test.yml b/.github/workflows/self-test.yml
index 5b5e19b..c770088 100644
--- a/.github/workflows/self-test.yml
+++ b/.github/workflows/self-test.yml
@@ -2,19 +2,19 @@ name: Self test action
 
 on:
   push:
-    branches: [main, assess-push-permission]
+    branches: [main]
+    paths:
+      - 'action.yml'
+      - 'requirements.txt'
+      - 'docs/examples/demo/**'
+      - '.github/workflows/self-test.yml'
+  pull_request:
+    branches: main
     paths:
       - 'action.yml'
       - 'requirements.txt'
       - 'docs/examples/demo/**'
       - '.github/workflows/self-test.yml'
-  # pull_request:
-  #   branches: main
-  #   paths:
-  #     - 'action.yml'
-  #     - 'requirements.txt'
-  #     - 'docs/examples/demo/**'
-  #     - '.github/workflows/self-test.yml'
 
 jobs:
   test: