ci: verify codeql guard search hits against file contents

[haasonsaas]

Summary

• verify each org code-search hit by fetching the current workflow file contents
• skip stale or tokenized search hits that no longer contain an actual uses: github/codeql-action step
• preserve unverified fetch failures as drift hits so auth/API issues do not hide policy violations

Verification

• ruby -e 'require "yaml"; YAML.load_file(".github/workflows/codeql-guard.yml")'\n- git diff --check\n- live search/filter smoke: stale evalops/deploy:.github/workflows/container-scan.yml search hit was skipped and verified_hits=0\n\nFollow-up to ci: narrow codeql guard org sweep query #30 and codeql-guard: CodeQL workflow drift detected #32.

[cursor]

PR Summary

Medium Risk
Updates a security-policy CI workflow that can change which repos are flagged for CodeQL drift; mistakes could hide violations or create noise if content fetching/regex matching behaves unexpectedly.

Overview
Improves the scheduled codeql-guard org sweep by fetching each matched workflow file via the GitHub Contents API and only reporting hits that still contain a real uses: github/codeql-action step.

Search hits that can’t be verified (API/auth failures) are still preserved as potential violations, while stale/tokenized matches are skipped with a notice to reduce false positives.

^{Reviewed by Cursor Bugbot for commit 6b0897a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Grep misses - uses: YAML shorthand format
  • The workflow verification regex now accepts an optional YAML list prefix before uses:, so shorthand - uses: CodeQL steps are detected correctly.

Preview (6b0897a18e)

diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml
--- a/.github/workflows/codeql-guard.yml
+++ b/.github/workflows/codeql-guard.yml
@@ -81,7 +81,19 @@
             if [ "${repo}" = "evalops/.github" ] && [ "${path}" = ".github/workflows/codeql-guard.yml" ]; then
               continue
             fi
-            hits+=("${repo}"$'\t'"${path}")
+            if ! content="$(
+              GH_TOKEN="${ORG_CODE_SEARCH_TOKEN}" gh api "repos/${repo}/contents/${path}" --jq '.content' |
+                base64 --decode
+            )"; then
+              echo "::warning::Could not verify ${repo}:${path}; preserving search hit."
+              hits+=("${repo}"$'\t'"${path}")
+              continue
+            fi
+            if grep -Eq '^[[:space:]]*(-[[:space:]]*)?uses:[[:space:]]*github/codeql-action([/@]|[[:space:]]|$)' <<< "${content}"; then
+              hits+=("${repo}"$'\t'"${path}")
+            else
+              echo "::notice::Skipping stale or non-use search hit ${repo}:${path}"
+            fi
           done <<< "${response}"
           if [ "${#hits[@]}" -eq 0 ]; then
             echo "ok: no CodeQL workflow files found in any evalops repo"

_{You can send follow-ups to the cloud agent here.}

^{Reviewed by Cursor Bugbot for commit a1763e4. Configure here.}