Users who've found the blog post that introduces GitHub actions but who've yet to encounter a need to tag devices may find themselves frustrated when trying to use this action. Failure messages along the way are cryptic, and the README doesn't offer guidance.

A naive attempt with a completely de-fanged Oauth client will produce

"user does not have access to this operation"

which means, without saying so directly, that the oath client needs to have granted write permission to Devices.
Then

"requested tags [tag:ci] are invalid or not permitted"

means, without saying so directly, that the policy file hasn't included tags:ci in tagOwners:.

Mentioning these in the README may save future users frustration.