diff --git a/README.md b/README.md
index 4ee7df5..8dd73f7 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,7 @@ jobs:
 
     # Add "id-token" with the intended permissions.
     permissions:
-      contents: read
+      contents: 'read'
       id-token: 'write'
 
     steps:
@@ -157,7 +157,7 @@ jobs:
 
     # Add "id-token" with the intended permissions.
     permissions:
-      contents: read
+      contents: 'read'
       id-token: 'write'
 
     steps:
@@ -203,7 +203,7 @@ jobs:
 
     # Add "id-token" with the intended permissions.
     permissions:
-      contents: read
+      contents: 'read'
       id-token: 'write'
 
     steps:
@@ -238,7 +238,7 @@ jobs:
 
     # Add "id-token" with the intended permissions.
     permissions:
-      contents: read
+      contents: 'read'
       id-token: 'write'
 
     steps:
diff --git a/src/main.ts b/src/main.ts
index 9fd09f3..d4ac54b 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -46,7 +46,10 @@ async function run(): Promise<void> {
     // fails, which means continue-on-error actions will still have the file
     // available.
     if (createCredentialsFile) {
-      const runnerTempDir = process.env.RUNNER_TEMP!;
+      const runnerTempDir = process.env.RUNNER_TEMP;
+      if (!runnerTempDir) {
+        throw new Error('$RUNNER_TEMP is not set');
+      }
 
       // Extract the request token and request URL from the environment. These
       // are only set when an id-token is requested and the submitter has