Summary
The scheduled codeql-guard org sweep requires secrets.EVALOPS_ORG_READ_TOKEN, but the secret is not currently configured for evalops/.github. The 2026-04-30 scheduled run failed before code search with:
Set secrets.EVALOPS_ORG_READ_TOKEN to a token with org-wide code search access.
I did not set this to the local personal gh token because that would put a broad user credential into Actions without an explicit credential-owner decision.
Required setup
Create an Actions secret named EVALOPS_ORG_READ_TOKEN available to evalops/.github, backed by a least-privilege token that can search code across the EvalOps org.
Acceptance criteria
gh secret list --repo evalops/.github or the selected org-secret configuration shows EVALOPS_ORG_READ_TOKEN available to this repo.- A manual
codeql-guard workflow dispatch reaches the org search step instead of failing on the missing-secret check.
- If real
uses: github/codeql-action hits remain, the workflow opens or reuses a single codeql-guard: CodeQL workflow drift detected issue.
Related
Summary
The scheduled
codeql-guardorg sweep requiressecrets.EVALOPS_ORG_READ_TOKEN, but the secret is not currently configured forevalops/.github. The 2026-04-30 scheduled run failed before code search with:I did not set this to the local personal
ghtoken because that would put a broad user credential into Actions without an explicit credential-owner decision.Required setup
Create an Actions secret named
EVALOPS_ORG_READ_TOKENavailable toevalops/.github, backed by a least-privilege token that can search code across the EvalOps org.Acceptance criteria
gh secret list --repo evalops/.githubor the selected org-secret configuration showsEVALOPS_ORG_READ_TOKENavailable to this repo.codeql-guardworkflow dispatch reaches the org search step instead of failing on the missing-secret check.uses: github/codeql-actionhits remain, the workflow opens or reuses a singlecodeql-guard: CodeQL workflow drift detectedissue.Related