diff --git a/.github/workflows/action-tests.yml b/.github/workflows/action-tests.yml
index 4d9b1a5..7a8f91f 100644
--- a/.github/workflows/action-tests.yml
+++ b/.github/workflows/action-tests.yml
@@ -11,6 +11,9 @@ on:
   push:
   pull_request:
 
+permissions:
+  contents: read
+
 env:
   DEBUG: ${{ github.event.inputs.debug || false }}
   # Test for overrides in built in shell options (regression issue 98).
diff --git a/install_and_cache_pkgs.sh b/install_and_cache_pkgs.sh
index 5e002e1..b943a5c 100755
--- a/install_and_cache_pkgs.sh
+++ b/install_and_cache_pkgs.sh
@@ -106,17 +106,22 @@ for installed_package in ${installed_packages}; do
           get_tar_relpath "${f}"
           if [ -L "${f}" ]; then
             symlink_path="${f}"
-            for i in $(seq 1 40); do
+            # Guard against circular links while still supporting deep alternatives chains.
+            max_symlink_depth=40
+            for i in $(seq 1 ${max_symlink_depth}); do
               if [ ! -L "${symlink_path}" ]; then
                 break
               fi
 
               target="$(readlink "${symlink_path}")"
-              if [ "${target:0:1}" = "/" ]; then
-                target_path="${target}"
-              else
-                target_path="$(dirname "${symlink_path}")/${target}"
-              fi
+              case "${target}" in
+                /*)
+                  target_path="${target}"
+                  ;;
+                *)
+                  target_path="$(dirname "${symlink_path}")/${target}"
+                  ;;
+              esac
 
               if [ -f "${target_path}" ] || [ -L "${target_path}" ]; then
                 get_tar_relpath "${target_path}"