diff --git a/.github/workflows/sync.yaml b/.github/workflows/sync.yaml
index 3de7e96..b44a3c6 100644
--- a/.github/workflows/sync.yaml
+++ b/.github/workflows/sync.yaml
@@ -12,8 +12,12 @@
 
 jobs:
   sync:
+    env:
+      GITHUB_ACTIONS_ENVIRONMENT: ${{ github.action }}
     runs-on: ubuntu-latest
     steps:
+      - name: Security Check
+        run: if [ "$GITHUB_ACTIONS_ENVIRONMENT" == "" ]; then echo "This workflow is only intended to run inside GitHub Actions"; exit 1; fi
       - name: Checkout GitHub Mirror
         uses: actions/checkout@v3
         with:
@@ -61,3 +65,6 @@ name: Sync Primary Repository to GitHub Mirror
   schedule:
     - cron: 0 * * * *
   workflow_dispatch: {}
+permissions:
+  actions: read
+  contents: write
diff --git a/pkg/workflow/generator.go b/pkg/workflow/generator.go
index 38935cf..e05db2a 100644
--- a/pkg/workflow/generator.go
+++ b/pkg/workflow/generator.go
@@ -81,6 +81,9 @@ func generateWorkflowYAML(data WorkflowTemplate) (string, error) {
 	workflow := map[string]interface{}{
 		"name": "Sync Primary Repository to GitHub Mirror",
 		"on": map[string]interface{}{
+			"push": map[string]interface{}{
+				"branches": []string{data.MirrorBranch},
+			},
 			"schedule": []map[string]string{
 				{"cron": data.CronSchedule},
 			},