diff --git a/.github/workflows/issue-welcome.yml b/.github/workflows/issue-welcome.yml
index e40c11a..16e2651 100644
--- a/.github/workflows/issue-welcome.yml
+++ b/.github/workflows/issue-welcome.yml
@@ -24,7 +24,8 @@ jobs:
               return;
             }
             // Skip bot-opened issues (Dependabot, etc.)
-            if (issue.user.type === 'Bot') {
+            // Guard against ghost/deleted user accounts where issue.user may be null
+            if (issue.user && issue.user.type === 'Bot') {
               console.log('Skipping bot-opened issue');
               return;
             }
diff --git a/.github/workflows/octo-ci-status.yml b/.github/workflows/octo-ci-status.yml
index f7f94b0..fb74086 100644
--- a/.github/workflows/octo-ci-status.yml
+++ b/.github/workflows/octo-ci-status.yml
@@ -82,7 +82,7 @@ jobs:
           def require_repo_name(name):
               """Validate repo name to prevent path traversal in GitHub API URLs."""
               val = require_env(name)
-              if not re.fullmatch(r'[A-Za-z0-9._-]{1,100}', val):
+              if not re.fullmatch(r'[A-Za-z0-9][A-Za-z0-9._-]{0,99}', val) or val in {'.', '..'}:
                   print(f'ERROR: {name} contains invalid characters: {val!r}')
                   sys.exit(2)
               return val
diff --git a/.github/workflows/octo-issue-feed.yml b/.github/workflows/octo-issue-feed.yml
index b4a9f5d..9602a9e 100644
--- a/.github/workflows/octo-issue-feed.yml
+++ b/.github/workflows/octo-issue-feed.yml
@@ -90,7 +90,7 @@ jobs:
           def require_repo_name(name):
               """Validate repo name to prevent path traversal in GitHub API URLs."""
               val = require_env(name)
-              if not re.fullmatch(r'[A-Za-z0-9._-]{1,100}', val):
+              if not re.fullmatch(r'[A-Za-z0-9][A-Za-z0-9._-]{0,99}', val) or val in {'.', '..'}:
                   print(f'ERROR: {name} contains invalid characters: {val!r}')
                   sys.exit(2)
               return val
diff --git a/.github/workflows/octo-pr-feed.yml b/.github/workflows/octo-pr-feed.yml
index 75afaa3..9f3cf05 100644
--- a/.github/workflows/octo-pr-feed.yml
+++ b/.github/workflows/octo-pr-feed.yml
@@ -107,7 +107,7 @@ jobs:
           def require_repo_name(name):
               """Validate repo name to prevent path traversal in GitHub API URLs."""
               val = require_env(name)
-              if not re.fullmatch(r'[A-Za-z0-9._-]{1,100}', val):
+              if not re.fullmatch(r'[A-Za-z0-9][A-Za-z0-9._-]{0,99}', val) or val in {'.', '..'}:
                   print(f'ERROR: {name} contains invalid characters: {val!r}')
                   sys.exit(2)
               return val