1. autoapproval.yml — references a defunct bot
dependabot-preview was shut down years ago; the real bot is just dependabot[bot]. This file does nothing and should be updated or deleted.
2. Broken Slack URL in every issue template
All six templates have https:https://join.slack.com/... — the double-protocol typo means the link is dead. Affects bug_report.md, feature_request.md, problem_validation.md, flaky_test.md, chore.md, documentation.md.
3. npm_lint_and_test.yml path trigger typo
Triggers on package.lock.json but the actual file is package-lock.json (hyphen, not dot). The npm lint workflow silently never fires on lockfile changes.
4. issue-auto-close-done.yml uses a deprecated event
project_card is a GitHub Projects v1 API event. Projects v1 is effectively dead. This workflow likely does nothing.
5. Hardcoded Projects v1 column IDs
issue-auto-unassign.yml (from_column: '8461148', to_column: '15690587') and remove-label-based-on-column.yml (column_id: "47fc9ee4") reference Projects v1 columns by raw ID. These won't resolve against Projects v2 boards.
6. remove-helped-wanted.yml pinned to @master
uses: andymckay/labeler@mastermaster is a mutable ref — the action can change under you at any time, including maliciously. Pin to a specific tag or commit SHA.
7. docker.yml uses chmod 777
chmod 777 tmp tmp/downloadsWorld-writable directories in a CI runner with network access is unnecessary. chmod 755 suffices.
8. copilot-review.instructions.md and ruby.instructions.md reference Ruby 3.x
The project has moved to Ruby 4.0.2 (per Dockerfile). Both instruction files say "Ruby 3.x" — Copilot/AI reviewers will give wrong advice about version-specific behavior.
9. rfg-event-2025 branch in 19 workflow triggers
Almost every workflow includes rfg-event-2025 as a PR target branch. That event was in 2025; the branch is presumably dead weight now (April 2026). These should be removed.
10. FUNDING.yml is full of placeholder comments
Every platform except github: [rubyforgood] is an unfilled # Replace with... placeholder. Strip the unused lines — they just add noise.
11. toc.yml has no paths: filter
The TOC generator runs on every push to main regardless of whether any Markdown changed. Add a paths filter so it only fires when documentation files change.
12. PostgreSQL version mismatch across CI jobs
| Workflow | Postgres |
|---|---|
factory_bot_lint.yml |
12.3 |
rake-after_party.yml |
12.3 |
rspec.yml |
14.8 |
Factories and after_party tasks test against Postgres 12 while actual specs run against 14. A Postgres 14 feature used in migrations could pass rspec but silently break linting.
13. yaml_lint.yml missing rfg-event-2025 from PR target branches
Every other workflow includes rfg-event-2025 as a PR target; yaml_lint does not. (Moot once #9 is cleaned up, but worth noting the inconsistency.)
14. combine_and_report.yml has no callers
It's a workflow_call reusable workflow, but nothing in this repo's workflows calls it. Either it's dead code or it's called from a workflow that wasn't committed.
15. codeql-analysis.yml only scans JavaScript, not Ruby
The matrix is language: ['javascript']. CodeQL has full Ruby support — this is a free security scan being left on the table for the primary language.
16. dependabot.yml doesn't cover Docker
Base images (ruby:4.0.2-alpine, node:24-alpine, postgres:14.8) are pinned by tag but not tracked by Dependabot. Adding package-ecosystem: "docker" would automate those bumps.
17. Most workflows have no timeout-minutes
Only rspec.yml and docker.yml cap run time. factory_bot_lint, ruby_lint, erb_lint, spec_checker, etc. can hang indefinitely and consume minutes quota. A timeout-minutes: 15 default costs nothing.
18. stale.yml uses magic number days-before-issue-close: 9999
The proper way to disable issue auto-closing in the stale action is days-before-issue-close: -1. 9999 works but is semantically wrong and confusing.