Default GITHUB_TOKEN permissions are not not enough to fetch alerts

[roimor]

The README mentions that "For accessing the Code Scanning alert data, the action uses the GITHUB_TOKEN which is automatically created for you, so you don't need to provide it".

But in reality i had to manually create another PAT and use it like that for the actions to successfully fetch security alerts:

jobs:
jira-sync:
name: Jira Sync
runs-on: ubuntu-latest
steps:
- name: Sync alerts to Jira issues
uses: github/ghas-jira-integration@v1
with:
github_token: ${{ secrets.TEST_GITHUB_TOKEN }}
jira_token: ${{ secrets.JIRA_TOKEN }}
jira_url: 'https://apiseq.atlassian.net'
jira_user: '[email protected]'
jira_project: ${{ github.event.inputs.project }}
jira_labels: 'code-scanning'
sync_direction: 'gh2jira'

when not adding the manually created PAT i get the following error: requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://api.github.com/repos/neosec-com/neosec-frontend/secret-scanning/alerts?per_page=100