feat: add permissions input to narrow minted installation tokens

[MarshallOfSound]

Adds an optional permissions input so callers can mint installation tokens scoped to a subset of the App's installation permissions rather than always receiving the full scope.

The underlying @electron/github-app-auth library already accepts an `AuthNarrowing` argument with a permissions field; this plumbs a YAML-parsed input through to it.

Example

- uses: electron/github-app-auth-action@v2
  id: app-read
  with:
    creds: \${{ secrets.APP_CREDS }}
    org: electron
    permissions: |
      contents: read

Levels accepted: read, write, admin. Invalid shapes / levels / YAML syntax all fail the step with a clear message.

Why

For agent-driven workflows and other automation that runs in multiple phases with different needs, it's valuable to mint tightly-scoped tokens per step rather than reusing a full-scope token. If one phase only needs to read, it should have a read-only token; a later phase that writes can mint its own write token. Today the action only exposes the full-scope path.

Implementation notes

• Input is parsed with `js-yaml` (safe `load`, no code-execution schema). Block-map form is the expected shape, matching GitHub's own `permissions:` workflow syntax.
• Empty input preserves the prior unnarrowed behavior so this is fully backward compatible.
• Added unit tests for both the wiring into `getTokenForOrg`/`getTokenForRepo` and for the parser itself. 24/24 passing locally.
• `dist/` rebuilt via `yarn all`.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	yaml@​2.8.3

View full report

[dsanders11]

No js-yaml.

[github-actions]

🎉 This PR is included in version 2.1.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀