codeql-guard: CodeQL workflow drift detected

[github-actions]

codeql-guard tripped

EvalOps does not run GitHub CodeQL (see SECURITY.md and the Blacksmith
code security configuration). The following workflow files use
github/codeql-action and need to be removed or the policy amended:

• evalops/keep — .github/workflows/ci.yml
• evalops/deploy — .github/workflows/container-scan.yml

[haasonsaas]

Resolved.

What landed:

• ci: upload security SARIF without CodeQL action keep#66 removed the CodeQL SARIF action from the security scan uploads.
• ci: add SARIF fingerprints before upload keep#67 added deterministic SARIF partial fingerprints and processing-status polling.
• ci: encode SARIF upload category in run automation details keep#68 moved upload category into SARIF automationDetails.id instead of an unsupported REST body field.
• evalops/deploy#1740 removed the CodeQL SARIF action from the container scan workflow and added the same direct uploader behavior.
• ci: verify codeql guard search hits against file contents #33 made the org guard verify current workflow file contents before treating code-search hits as real drift, so stale/tokenized search results do not reopen false positives.

Verification:

• Manual codeql-guard dispatch passed on main: https://github.com/evalops/.github/actions/runs/25173488703
• Sweep evalops/* for CodeQL workflow drift: success
• Forbid CodeQL in evalops/.github: success