From 77340ec87ac8c0bc664a3082425520c757a4c638 Mon Sep 17 00:00:00 2001
From: Nano Taboada <nanotaboada@users.noreply.github.com>
Date: Sun, 28 Dec 2025 18:07:47 -0300
Subject: [PATCH] chore: address SonarCloud code quality issues

Move GitHub Actions permissions from workflow level to job level for
better security and least privilege principle.
(githubactions:S8264)

Replace single brackets with double brackets in shell conditionals for
safer and more feature-rich conditional tests.
(shelldre:S7688)
---
 .github/workflows/python-app.yml | 9 ++++++---
 scripts/entrypoint.sh            | 4 ++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
index 5bb52a0..7e6d17a 100644
--- a/.github/workflows/python-app.yml
+++ b/.github/workflows/python-app.yml
@@ -3,9 +3,6 @@
 
 name: Python CI
 
-permissions:
-  contents: read
-
 on:
   push:
     branches: [ master ]
@@ -15,6 +12,8 @@ on:
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6.0.1
@@ -44,6 +43,8 @@ jobs:
   test:
     needs: lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6.0.1
@@ -76,6 +77,8 @@ jobs:
   coverage:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     # Only run coverage for PRs from the same repository (not forks)
     # This ensures secrets are available for Codecov and Codacy
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh
index 442afa0..62025ef 100644
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@@ -6,9 +6,9 @@ VOLUME_STORAGE_PATH="/storage/players-sqlite3.db"
 
 echo "✔ Starting container..."
 
-if [ ! -f "$VOLUME_STORAGE_PATH" ]; then
+if [[ ! -f "$VOLUME_STORAGE_PATH" ]]; then
     echo "⚠️ No existing database file found in volume."
-    if [ -f "$IMAGE_STORAGE_PATH" ]; then
+    if [[ -f "$IMAGE_STORAGE_PATH" ]]; then
         echo "Copying database file to writable volume..."
         cp "$IMAGE_STORAGE_PATH" "$VOLUME_STORAGE_PATH"
         echo "✔ Database initialized at $VOLUME_STORAGE_PATH"