diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 37d759d35..3d5ccade2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,8 +17,6 @@ jobs:
       versions: ${{ steps.compare.outputs.versions }}
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
@@ -68,8 +66,6 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 626851691..5717d4750 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,7 +2,11 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Update README to include a sample permissions block. [#689](https://github.com/github/codeql-action/pull/689)
+
+## 1.0.11 - 09 Aug 2021
+
+- Update default CodeQL bundle version to 2.5.9. [#687](https://github.com/github/codeql-action/pull/687)
 
 ## 1.0.10 - 03 Aug 2021
 
diff --git a/README.md b/README.md
index f1bfdcaf8..36a13b6fd 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,14 @@ jobs:
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
 
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
diff --git a/node_modules/.package-lock.json b/node_modules/.package-lock.json
index 7d1c1b920..25be8a149 100644
--- a/node_modules/.package-lock.json
+++ b/node_modules/.package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
diff --git a/package-lock.json b/package-lock.json
index 3ee40f6c3..d2ec277ee 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "1.0.11",
+      "version": "1.0.12",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^0.5.2",
diff --git a/package.json b/package.json
index e70f52eda..4ebb6547a 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
diff --git a/runner/package-lock.json b/runner/package-lock.json
index 2c62d9e63..67526dff3 100644
--- a/runner/package-lock.json
+++ b/runner/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql-runner",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/runner/package.json b/runner/package.json
index 2b0590320..1db2baa1c 100644
--- a/runner/package.json
+++ b/runner/package.json
@@ -1,6 +1,6 @@
 {
   "name": "codeql-runner",
-  "version": "1.0.11",
+  "version": "1.0.12",
   "private": true,
   "description": "CodeQL runner",
   "scripts": {