diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 457e929c356..d82eb171f89 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -46,15 +46,6 @@ jobs:
           upload: false
           output: sarif-results
 
-      - name: Filter SARIF for third-party code
-        if: matrix.language == 'go'
-        uses: advanced-security/filter-sarif@2da736ff05ef065cb2894ac6892e47b5eac2c3c0 # v1.1.0.1.1
-        with:
-          patterns: |
-            -third-party/**
-          input: sarif-results/${{ matrix.language }}.sarif
-          output: sarif-results/${{ matrix.language }}.sarif
-
       - name: Upload filtered SARIF
         uses: github/codeql-action/upload-sarif@v4
         with:
diff --git a/.github/workflows/detect-spam.yml b/.github/workflows/detect-spam.yml
index fd259bd640c..d856d75a456 100644
--- a/.github/workflows/detect-spam.yml
+++ b/.github/workflows/detect-spam.yml
@@ -4,20 +4,19 @@ on:
     types: [opened]
 
 permissions:
-  contents: none
-  issues: write
-  models: read
+  contents: read # check out the repo to run the spam-detection scripts.
+  issues: write # read issue contents (gh issue view), comment, label, and close issues detected as spam.
+  models: read # run inference via `gh models run` for spam classification.
 
 jobs:
   issue-spam:
     runs-on: ubuntu-latest
-    environment: cli-automation
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
       - name: Run spam detection
         env:
-          GH_TOKEN: ${{ secrets.AUTOMATION_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
           ISSUE_URL: ${{ github.event.issue.html_url }}
         run: |
           ./.github/workflows/scripts/spam-detection/process-issue.sh "$ISSUE_URL"
diff --git a/.github/workflows/triage-discussion-label.yml b/.github/workflows/triage-discussion-label.yml
deleted file mode 100644
index e2e4ea5e58a..00000000000
--- a/.github/workflows/triage-discussion-label.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-name: Process Discuss Label
-run-name: ${{ github.event_name == 'issues' && github.event.issue.title || github.event.pull_request.title }}
-permissions: {}
-on:
-  issues:
-    types:
-      - labeled
-  # pull_request_target (not pull_request) to access secrets for fork PRs.
-  # Safe: no PR code is checked out or executed.
-  pull_request_target:
-    types:
-      - labeled
-
-jobs:
-  discuss:
-    if: github.event.action == 'labeled' && github.event.label.name == 'discuss'
-    uses: desktop/gh-cli-and-desktop-shared-workflows/.github/workflows/triage-discuss.yml@main
-    with:
-      target_repo: 'github/cli'
-      cc_team: '@github/cli'
-      environment: cli-discuss-automation
-    secrets:
-      discussion_token: ${{ secrets.CLI_DISCUSSION_TRIAGE_TOKEN }}
diff --git a/.golangci.yml b/.golangci.yml
index 932a4b4384b..f50707936b2 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -29,8 +29,6 @@ linters:
     # - staticcheck
     # - errcheck
   exclusions:
-    paths:
-      - third-party
     rules:
       - path: _test\.go$
         linters:
@@ -62,9 +60,6 @@ linters:
 formatters:
   enable:
     - gofmt
-  exclusions:
-    paths:
-      - third-party
 
 issues:
   max-issues-per-linter: 0