diff --git a/.github/images/token-permissions.png b/.github/images/token-permissions.png
new file mode 100644
index 0000000..542d109
Binary files /dev/null and b/.github/images/token-permissions.png differ
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 9d545e0..119cc82 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,6 +22,8 @@ jobs:
         config-file: markdown_link_check_config.json
   dogfooding:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@master # only required for eating our own dog food
       - uses: ./
diff --git a/README.md b/README.md
index 6a908d5..651b71a 100644
--- a/README.md
+++ b/README.md
@@ -57,6 +57,8 @@ on:
 jobs:
   single-commit:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - uses: bcanseco/github-contribution-graph-action@v2
       env:
@@ -78,6 +80,8 @@ on: push
 jobs:
   backfill-commits:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
     - uses: bcanseco/github-contribution-graph-action@v2
       env:
@@ -157,6 +161,14 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
+#### Getting 403 errors? ❌
+
+Make sure your token has [write permission for the `contents` scope](https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs). If you're using the examples in this README, this is already done for you.
+
+You can alternatively set this as a repo-level default:
+
+![](./.github/images/token-permissions.png)
+
 ### `GIT_EMAIL` 📧
 
 This GitHub Action requires an email associated with your GitHub account. If you provide a random or throwaway email, contributions won't show up on your GitHub profile. [Read more](https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/why-are-my-contributions-not-showing-up-on-my-profile#you-havent-added-your-local-git-commit-email-to-your-profile).