diff --git a/tools/hygiene/github-settings.expected.json b/tools/hygiene/github-settings.expected.json
index 3eaf77371..82a2185a2 100644
--- a/tools/hygiene/github-settings.expected.json
+++ b/tools/hygiene/github-settings.expected.json
@@ -86,12 +86,6 @@
           },
           "type": "copilot_code_review"
         },
-        {
-          "parameters": {
-            "severity": "all"
-          },
-          "type": "code_quality"
-        },
         {
           "parameters": {
             "allowed_merge_methods": [
@@ -139,7 +133,7 @@
         "lint (semgrep)",
         "lint (shellcheck)"
       ],
-      "strict": true
+      "strict": false
     }
   },
   "actions_permissions": {
@@ -172,6 +166,16 @@
       "path": ".github/workflows/codeql.yml",
       "state": "active"
     },
+    {
+      "name": "CodeQL",
+      "path": "dynamic/github-code-scanning/codeql",
+      "state": "active"
+    },
+    {
+      "name": "Copilot cloud agent",
+      "path": "dynamic/copilot-swe-agent/copilot",
+      "state": "active"
+    },
     {
       "name": "Copilot code review",
       "path": "dynamic/copilot-pull-request-reviewer/copilot-pull-request-reviewer",
@@ -182,13 +186,57 @@
       "path": "dynamic/dependabot/dependabot-updates",
       "state": "active"
     },
+    {
+      "name": "backlog-index-integrity",
+      "path": ".github/workflows/backlog-index-integrity.yml",
+      "state": "active"
+    },
+    {
+      "name": "budget-snapshot-cadence",
+      "path": ".github/workflows/budget-snapshot-cadence.yml",
+      "state": "active"
+    },
     {
       "name": "gate",
       "path": ".github/workflows/gate.yml",
       "state": "active"
+    },
+    {
+      "name": "low-memory",
+      "path": ".github/workflows/low-memory.yml",
+      "state": "active"
+    },
+    {
+      "name": "memory-index-duplicate-lint",
+      "path": ".github/workflows/memory-index-duplicate-lint.yml",
+      "state": "active"
+    },
+    {
+      "name": "memory-index-integrity",
+      "path": ".github/workflows/memory-index-integrity.yml",
+      "state": "active"
+    },
+    {
+      "name": "memory-reference-existence-lint",
+      "path": ".github/workflows/memory-reference-existence-lint.yml",
+      "state": "active"
+    },
+    {
+      "name": "resume-diff",
+      "path": ".github/workflows/resume-diff.yml",
+      "state": "active"
+    },
+    {
+      "name": "scorecard",
+      "path": ".github/workflows/scorecard.yml",
+      "state": "active"
     }
   ],
   "environments": [
+    {
+      "name": "copilot",
+      "protection_rule_types": []
+    },
     {
       "name": "github-pages",
       "protection_rule_types": [
@@ -214,7 +262,7 @@
       "javascript-typescript",
       "typescript"
     ],
-    "query_suite": "default",
+    "query_suite": "extended",
     "state": "not-configured"
   },
   "security": {
diff --git a/tools/hygiene/snapshot-github-settings.sh b/tools/hygiene/snapshot-github-settings.sh
index 438d2573c..9e773a751 100755
--- a/tools/hygiene/snapshot-github-settings.sh
+++ b/tools/hygiene/snapshot-github-settings.sh
@@ -105,7 +105,7 @@ actions_perms_json=$(gh api "/repos/$repo/actions/permissions" --jq '{enabled, a
 
 actions_vars_json=$(gh api "/repos/$repo/actions/variables" --jq '[.variables[]? | {name, value}] | sort_by(.name)')
 
-workflows_json=$(gh api "/repos/$repo/actions/workflows" --jq '[.workflows[] | {name, state, path}] | sort_by(.name)')
+workflows_json=$(gh api "/repos/$repo/actions/workflows" --jq '[.workflows[] | {name, state, path}] | sort_by(.name, .path)')
 
 envs_json=$(gh api "/repos/$repo/environments" --jq '[.environments[]? | {name, protection_rule_types: [.protection_rules[]?.type] | sort}] | sort_by(.name)')