From 6b0897a18e120fa821b8107fc9f675d0a90c8e38 Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Thu, 30 Apr 2026 08:02:48 -0700
Subject: [PATCH] ci: verify codeql guard search hits

---
 .github/workflows/codeql-guard.yml | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml
index 4e2526b..204423e 100644
--- a/.github/workflows/codeql-guard.yml
+++ b/.github/workflows/codeql-guard.yml
@@ -81,7 +81,19 @@ jobs:
             if [ "${repo}" = "evalops/.github" ] && [ "${path}" = ".github/workflows/codeql-guard.yml" ]; then
               continue
             fi
-            hits+=("${repo}"$'\t'"${path}")
+            if ! content="$(
+              GH_TOKEN="${ORG_CODE_SEARCH_TOKEN}" gh api "repos/${repo}/contents/${path}" --jq '.content' |
+                base64 --decode
+            )"; then
+              echo "::warning::Could not verify ${repo}:${path}; preserving search hit."
+              hits+=("${repo}"$'\t'"${path}")
+              continue
+            fi
+            if grep -Eq '^[[:space:]]*(-[[:space:]]*)?uses:[[:space:]]*github/codeql-action([/@]|[[:space:]]|$)' <<< "${content}"; then
+              hits+=("${repo}"$'\t'"${path}")
+            else
+              echo "::notice::Skipping stale or non-use search hit ${repo}:${path}"
+            fi
           done <<< "${response}"
           if [ "${#hits[@]}" -eq 0 ]; then
             echo "ok: no CodeQL workflow files found in any evalops repo"