diff --git a/README.md b/README.md
index b0f6224..64dc025 100644
--- a/README.md
+++ b/README.md
@@ -311,8 +311,17 @@ jobs:
           git commit -m "generated"
           git push
 ```
+
 *NOTE:* The user email is `{user.id}+{user.login}@users.noreply.github.com`. See users API: https://api.github.com/users/github-actions%5Bbot%5D
 
+# Recommended permissions
+
+When using the `checkout` action in your GitHub Actions workflow, it is recommended to set the following `GITHUB_TOKEN` permissions to ensure proper functionality, unless alternative auth is provided via the `token` or `ssh-key` inputs:
+
+```yaml
+permissions:
+  contents: read
+```
 
 # License
 
diff --git a/src/git-command-manager.ts b/src/git-command-manager.ts
index 8e42a38..1a8709a 100644
--- a/src/git-command-manager.ts
+++ b/src/git-command-manager.ts
@@ -44,6 +44,7 @@ export interface IGitCommandManager {
   getWorkingDirectory(): string
   init(): Promise<void>
   isDetached(): Promise<boolean>
+  lfsCheckout(): Promise<void>
   lfsFetch(ref: string): Promise<void>
   lfsInstall(): Promise<void>
   log1(format?: string): Promise<string>
@@ -340,6 +341,10 @@ class GitCommandManager {
     return !output.stdout.trim().startsWith('refs/heads/')
   }
 
+  async lfsCheckout(): Promise<void> {
+    await this.execGit(['lfs', 'checkout'])
+  }
+
   async lfsFetch(ref: string): Promise<void> {
     const args = ['lfs', 'fetch', 'origin', ref]
 
diff --git a/src/git-source-provider.ts b/src/git-source-provider.ts
index 2d35138..2ceca2f 100644
--- a/src/git-source-provider.ts
+++ b/src/git-source-provider.ts
@@ -232,6 +232,11 @@ export async function getSource(settings: IGitSourceSettings): Promise<void> {
     await git.checkout(checkoutInfo.ref, checkoutInfo.startPoint)
     core.endGroup()
 
+    // LFS checkout
+    core.startGroup('Checking out LFS objects')
+    await git.lfsCheckout()
+    core.endGroup()
+
     // Submodules
     if (settings.submodules) {
       // Temporarily override global config