From b9d6d634622ac1a443ccb0f8ff3c96200606b9ee Mon Sep 17 00:00:00 2001
From: Fionn <fionn@bitmex.com>
Date: Thu, 13 Feb 2025 16:57:19 +0800
Subject: [PATCH] Update OAuth scopes in documentation

The acl scope is listed as a "legacy scope" and the replacement is the
policy_file scope. But, as per the documentation, this additionally
requires devices:core:read and devices:posture_attributes.

See: https://tailscale.com/kb/1215/oauth-clients#scopes
See: https://tailscale.com/kb/1215/oauth-clients#legacy-scopes
---
 README.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index bbab563..38202cb 100644
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
 This GitHub action lets you manage your [tailnet policy file](https://tailscale.com/kb/1018/acls/) using a
 [GitOps](https://about.gitlab.com/topics/gitops/) workflow. With this GitHub
 action you can automatically manage your tailnet policy file using a git repository
-as your source of truth. 
+as your source of truth.
 
 ## Inputs
 
@@ -25,7 +25,10 @@ rotate your Tailscale API key, or use an OAuth client.
 ### `oauth-client-id` and `oauth-secret`
 
 **Optional** The ID and secret for an [OAuth client](https://tailscale.com/kb/1215/oauth-clients)
-for your tailnet. The client must have the `acl` scope.
+for your tailnet. The client must have the `devices:core:read`,
+`devices:posture_attributes:read` and `policy_file:read` scopes to test and the
+`devices:core:read`, `devices:posture_attributes` and `policy_file` scopes to
+apply.
 
 Either `api-key` or `oauth-client-id` and `oauth-secret` are required.