diff --git a/.github/secret_scanning.yml b/.github/secret_scanning.yml
new file mode 100644
index 000000000..83ee7b460
--- /dev/null
+++ b/.github/secret_scanning.yml
@@ -0,0 +1,3 @@
+paths-ignore:
+  - 'third-party/**'
+  - 'third-party-licenses.*.md'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index d74e1c142..37bbb0607 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -32,6 +32,10 @@ jobs:
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
+          config: |
+            paths-ignore:
+              - 'third-party/**'
+              - 'third-party-licenses.*.md'
 
       - name: Setup Go
         if: matrix.language == 'go'
diff --git a/.github/workflows/pr-help-wanted.yml b/.github/workflows/pr-help-wanted.yml
index 0d7245836..16c135644 100644
--- a/.github/workflows/pr-help-wanted.yml
+++ b/.github/workflows/pr-help-wanted.yml
@@ -20,7 +20,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_AUTHOR: ${{ github.event.pull_request.user.login }}
           PR_AUTHOR_TYPE: ${{ github.event.pull_request.user.type }}
-        if: !github.event.pull_request.draft
+        if: "!github.event.pull_request.draft"
         run: |
           # Skip if PR is from a bot or org member
           if [ "$PR_AUTHOR_TYPE" = "Bot" ] || "gh api orgs/cli/public_members/${PR_AUTHOR}" --silent 2>/dev/null