How to push to protected branches in a GitHub Action

Seems like tying the perms on the action to the perms on the author of a commit could provide the automation power we want here without the security vulnerability. No?