diff --git a/.github/workflows/assign-to-project.yml b/.github/workflows/assign-to-project.yml
index b1eecd4..6a4323d 100644
--- a/.github/workflows/assign-to-project.yml
+++ b/.github/workflows/assign-to-project.yml
@@ -7,6 +7,11 @@ on:
     
 # github-script: https://github.com/actions/github-script
 # -> points to github rest (octokit) reference doc
+
+# github PAT: https://github.com/settings/tokens
+# must have full repo access
+
+# FIXME how can I prevent a user from creating a PR and stealing my token?
     
 jobs:
   assign: