Apply suggestions from code review

Co-authored-by: Aditya Sharad <[email protected]>

Author: yoff

actions/ql/lib/codeql/actions/config/Config.qll

@@ -158,8 +158,8 @@ predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
 /**
  * MaD models for permissions needed by actions
  * Fields:
- *    - action: action name
- *    - permission: permission name
+ *    - action: action name, e.g. `actions/checkout`
+ *    - permission: permission name, e.g. `contents: read`
  */
 predicate actionsPermissionsDataModel(string action, string permission) {
   Extensions::actionsPermissionsDataModel(action, permission)

actions/ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -85,5 +85,6 @@ extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
  * - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
  * - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
  *   for an example of recommended permissions.
+ * - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
  */
 extensible predicate actionsPermissionsDataModel(string action, string permission);