What permissions does the action need in the personal access token?

[dancmeyers]

I've followed the Wiki for trying to get this action running. My YAML file looks like this, which from reading the docs appears to be correct:

name: "Check for Dependabot-alerted vulnerabilities"
on:
  schedule:
    - cron: "13 9 * * 1-5" # 09:13 every Mon-Fri
jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      # Latest version listed at: https://github.com/marketplace/actions/check-cve
      - name: check-cve
        uses: kunalnagarco/action-cve@v1.7.11
        with:
          token: ${{ secrets.ACTION_CVE_PERSONAL_ACCESS_TOKEN }}
          slack_webhook: ${{ secrets.ACTION_CVE_SLACK_WEBHOOK }}
          count: 10

I'm confident I've got the Slack webhook set up correctly, as that's something I've done for various other processes and works fine for all of those, but I can't find any options that would actually help me debug it.

The personal access token I've asked to be created (I don't have permissions to set it up or save it in secrets on the repo itself) to only have the repo > security_events permission. I was making a guess that that was the permission needed for Dependabot alerts, as the documentation doesn't specify.

But the bot doesn't seem to be working, we're not getting any alerts when new Dependabot vulnerabilities are detected.

So my two questions are: 1) What personal access token permissions does this bot need to run successfully? 2) Is there any debugging output I can get the bot to spit out somewhere so that I can try and work out what is going wrong with it?

Thanks

[kunalnagar]

@dancmeyers - please check out https://github.com/kunalnagarco/action-cve/issues/68#issuecomment-1139135806 and https://github.com/kunalnagarco/action-cve/issues/113