diff --git a/.github/workflows/maven-pr-builder.yml b/.github/workflows/maven-pr-builder.yml
index 0440600a3f81..be5eb344d874 100644
--- a/.github/workflows/maven-pr-builder.yml
+++ b/.github/workflows/maven-pr-builder.yml
@@ -31,6 +31,9 @@ on:
     branches: [ master ]
     types: [ opened, reopened, synchronize ]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-analyze:
 
@@ -71,8 +74,10 @@ jobs:
       run: sudo apt-get install -y xvfb
 
     - name: Build with Maven and run SonarQube analysis
-      run: xvfb-run ./mvnw clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=iluwatar -Dsonar.projectKey=iluwatar_java-design-patterns -Dsonar.pullrequest.branch=${{ github.head_ref }} -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}
       env:
+        # Intermediate variable
+        HEAD_REF: ${{ github.head_ref }}
         # These two env variables are needed for sonar analysis
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+      run: xvfb-run ./mvnw clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.host.url=https://sonarcloud.io -Dsonar.organization=iluwatar -Dsonar.projectKey=iluwatar_java-design-patterns -Dsonar.pullrequest.branch=$HEAD_REF -Dsonar.pullrequest.base=${{ github.base_ref }} -Dsonar.pullrequest.key=${{ github.event.pull_request.number }}