diff --git a/README.md b/README.md
index b0f6224..a69c181 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,8 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     clean: ''
 
     # Partially clone against a given filter. Overrides sparse-checkout if set.
+    # Note that when a filter is provided, fetch-depth is still respected; you
+    # may want to specify `fetch-depth: 0` to ensure the full history is fetched.
     # Default: null
     filter: ''
 
@@ -311,8 +313,17 @@ jobs:
           git commit -m "generated"
           git push
 ```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
 
+# Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```
 
 # License
 
diff --git a/action.yml b/action.yml
index 6842eb8..9bbe421 100644
--- a/action.yml
+++ b/action.yml
@@ -59,8 +59,9 @@ inputs:
     default: true
   filter:
     description: >
-      Partially clone against a given filter.
-      Overrides sparse-checkout if set.
+      Partially clone against a given filter. Overrides sparse-checkout if set.
+      Note that when a filter is provided, fetch-depth is still respected; you
+      may want to specify `fetch-depth: 0` to ensure the full history is fetched.
     default: null
   sparse-checkout:
     description: >