diff --git a/README.md b/README.md
index 59084e8..4b96113 100644
--- a/README.md
+++ b/README.md
@@ -195,7 +195,8 @@ The [dflook/terraform-apply](https://github.com/dflook/terraform-github-actions/
     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   ```
 
-  The token provided by GitHub Actions will work with the default permissions.
+  The token provided by GitHub Actions has default permissions at GitHub's whim. You can see what it is for your repo under the repo settings.
+
   The minimum permissions are `pull-requests: write`.
   It will also likely need `contents: read` so the job can checkout the repo.
 
@@ -385,6 +386,10 @@ name: PR Plan
 
 on: [pull_request]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -419,6 +424,10 @@ env:
   TERRAFORM_CLOUD_TOKENS: terraform.example.com=${{ secrets.TF_REGISTRY_TOKEN }}
   TERRAFORM_SSH_KEY: ${{ secrets.TERRAFORM_SSH_KEY }}
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     runs-on: ubuntu-latest
@@ -451,6 +460,10 @@ name: Terraform Plan
 
 on: [issue_comment]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   plan:
     if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, 'terraform plan') }}
diff --git a/action.yaml b/action.yaml
index f11b6c1..c74cbe7 100644
--- a/action.yaml
+++ b/action.yaml
@@ -68,7 +68,7 @@ outputs:
 
 runs:
   using: docker
-  image: docker://danielflook/terraform-github-actions@sha256:405665d9e9f4ff47eb61152008b3dbb25c00a831deb859ea19c46d28672afb55
+  image: docker://danielflook/terraform-github-actions@sha256:dc95f716c56bc6b50bd8b901e2b284eeb4ed9e18373fffb92a8f4b564f85044e
   entrypoint: /entrypoints/plan.sh
 
 branding: