diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
index 5bb52a0..7e6d17a 100644
--- a/.github/workflows/python-app.yml
+++ b/.github/workflows/python-app.yml
@@ -3,9 +3,6 @@
 
 name: Python CI
 
-permissions:
-  contents: read
-
 on:
   push:
     branches: [ master ]
@@ -15,6 +12,8 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6.0.1
@@ -44,6 +43,8 @@ jobs:
   test:
     needs: lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6.0.1
@@ -76,6 +77,8 @@ jobs:
   coverage:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     # Only run coverage for PRs from the same repository (not forks)
     # This ensures secrets are available for Codecov and Codacy
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
index 442afa0..62025ef 100644
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@@ -6,9 +6,9 @@ VOLUME_STORAGE_PATH="/storage/players-sqlite3.db"
 
 echo "✔ Starting container..."
 
-if [ ! -f "$VOLUME_STORAGE_PATH" ]; then
+if [[ ! -f "$VOLUME_STORAGE_PATH" ]]; then
     echo "⚠️ No existing database file found in volume."
-    if [ -f "$IMAGE_STORAGE_PATH" ]; then
+    if [[ -f "$IMAGE_STORAGE_PATH" ]]; then
         echo "Copying database file to writable volume..."
         cp "$IMAGE_STORAGE_PATH" "$VOLUME_STORAGE_PATH"
         echo "✔ Database initialized at $VOLUME_STORAGE_PATH"