diff --git a/README.md b/README.md
index b0f6224..64dc025 100644
--- a/README.md
+++ b/README.md
@@ -311,8 +311,17 @@ jobs:
           git commit -m "generated"
           git push
 ```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
 
+# Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```
 
 # License
 
diff --git a/dist/index.js b/dist/index.js
index b0db713..fae8824 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -2114,7 +2114,8 @@ function testRef(git, ref, commit) {
         // refs/tags/
         else if (upperRef.startsWith('REFS/TAGS/')) {
             const tagName = ref.substring('refs/tags/'.length);
-            return ((yield git.tagExists(tagName)) && commit === (yield git.revParse(ref)));
+            return ((yield git.tagExists(tagName)) &&
+                commit === (yield git.revParse(`${ref}^{commit}`)));
         }
         // Unexpected
         else {
diff --git a/src/ref-helper.ts b/src/ref-helper.ts
index 58f9290..9f362e1 100644
--- a/src/ref-helper.ts
+++ b/src/ref-helper.ts
@@ -171,7 +171,8 @@ export async function testRef(
   else if (upperRef.startsWith('REFS/TAGS/')) {
     const tagName = ref.substring('refs/tags/'.length)
     return (
-      (await git.tagExists(tagName)) && commit === (await git.revParse(ref))
+      (await git.tagExists(tagName)) &&
+      commit === (await git.revParse(`${ref}^{commit}`))
     )
   }
   // Unexpected