diff --git a/.github/workflows/octo-ci-status.yml b/.github/workflows/octo-ci-status.yml
index 3db1ab4..188204c 100644
--- a/.github/workflows/octo-ci-status.yml
+++ b/.github/workflows/octo-ci-status.yml
@@ -28,6 +28,9 @@ on:
       OCTO_BOT_TOKEN:
         required: true
 
+permissions:
+  actions: read
+
 jobs:
   notify:
     runs-on: ubuntu-latest
@@ -103,6 +106,11 @@ jobs:
               print('No state change, silent.')
               sys.exit(0)
 
+          # Guard: first-ever run has no previous history — skip silently
+          if prev_conclusion is None:
+              print('First run detected (no previous history), skipping notification.')
+              sys.exit(0)
+
           # Determine message
           if curr_conclusion == 'failure':
               msg = (
diff --git a/.github/workflows/octo-issue-feed.yml b/.github/workflows/octo-issue-feed.yml
index bf38f6b..263c639 100644
--- a/.github/workflows/octo-issue-feed.yml
+++ b/.github/workflows/octo-issue-feed.yml
@@ -33,6 +33,8 @@ on:
       OCTO_BOT_TOKEN:
         required: true
 
+permissions: {}
+
 jobs:
   notify:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/octo-pr-feed.yml b/.github/workflows/octo-pr-feed.yml
index 64c81e0..e619834 100644
--- a/.github/workflows/octo-pr-feed.yml
+++ b/.github/workflows/octo-pr-feed.yml
@@ -42,6 +42,8 @@ on:
       OCTO_BOT_TOKEN:
         required: true
 
+permissions: {}
+
 jobs:
   notify:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-merged-done.yml b/.github/workflows/pr-merged-done.yml
index f079416..9aca49c 100644
--- a/.github/workflows/pr-merged-done.yml
+++ b/.github/workflows/pr-merged-done.yml
@@ -15,6 +15,8 @@ on:
       PROJECT_TOKEN:
         required: true
 
+permissions: {}
+
 jobs:
   move-to-done:
     runs-on: ubuntu-latest