Update github example workflow to fix workflow permissions issue (azimuth-cloud#209)

Author: sd109

.github-upgrade-check.yml.sample

@@ -3,9 +3,14 @@
 # newer tag is found in the upstream repository then a pull request is created to the downstream repo
 # in order to merge in the changes from the new upstream release.
 
-# To use this workflow in a downstream azimuth-config repository simply copy it into .github/workflows
-# and give it an appropriate name, e.g.
-# cp .github-upgrade-check.yml.sample .github/workflows/upgrade-check.yml
+# To use this workflow in a downstream azimuth-config repository, first copy it into .github/workflows
+# and give it an appropriate name, e.g. `cp .github-upgrade-check.yml.sample .github/workflows/upgrade-check.yml`
+# then create a fine-grained GitHub access token for the target repository with the permissions specified here:
+# https://github.com/peter-evans/create-pull-request?tab=readme-ov-file#token
+# (i.e. contents: write, pull-requests: write AND workflows: write).
+# GitHub actions can be funny about using tokens with no expiry date in workflows so make sure the token
+# has an expiry date. After creating the token, copy the generated secret string and set it as a GitHub
+# actions secret named WORKFLOW_TOKEN in the repository's settings page.
 
 name: Check for upstream updates
 on:
@@ -66,3 +71,4 @@ jobs:
           body: This PR was automatically generated by GitHub Actions.
           commit-message: "Upgrade Azimuth to ${{ steps.release_tag.outputs.value }}"
           delete-branch: true
+          token: ${{ secrets.WORKFLOW_TOKEN }}