docs: narrow runtime PAT to report repository only (fine-grained PATs include public read by default)

Author: unhappychoice

README.md

@@ -142,10 +142,10 @@ The Action reads your public activity and pushes to the `gh-pages` branch. This
 
 | | Fine-grained PAT | Classic PAT |
 |---|---|---|
-| Repository access | `All repositories` | - |
+| Repository access | Your report repository only | - |
 | Permissions / Scopes | `Contents: Read & Write` | `repo` |
 
-`All repositories` is required because the tool reads events, PRs, and contributions across all your public repositories, not just the report repository.
+Fine-grained PATs always include read-only access to all public repositories on GitHub, so selecting only the report repository is enough. `Contents: Write` is needed to push to the `gh-pages` branch.
 
 ### For `npx github-weekly-reporter setup`
 

docs/manual-setup.md

@@ -6,7 +6,7 @@ This guide walks through setting up GitHub Weekly Reporter without the `setup` C
 
 - A GitHub account
 - A personal access token (PAT). Since manual setup does not create repositories or set secrets on your behalf, you only need the permissions the Action uses at runtime:
-  - **Fine-grained PAT** (recommended): repository access **All repositories**, permission `Contents: Read & Write` ([create one](https://github.com/settings/personal-access-tokens/new))
+  - **Fine-grained PAT** (recommended): select your **report repository only**, permission `Contents: Read & Write` ([create one](https://github.com/settings/personal-access-tokens/new))
   - **Classic PAT**: scope `repo` ([create one](https://github.com/settings/tokens/new?scopes=repo))
 - An LLM API key for AI-generated narratives (free tiers available from Groq and OpenRouter)