From 4ca6284d1fa3e976dfdf7fa7d67537b4a2bdcc29 Mon Sep 17 00:00:00 2001
From: Jonathan Haas <jonathan@haas.holdings>
Date: Thu, 30 Apr 2026 06:38:24 -0700
Subject: [PATCH 1/2] ci: narrow codeql guard org sweep query

---
 .github/workflows/codeql-guard.yml | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml
index 8f319f6..ee35944 100644
--- a/.github/workflows/codeql-guard.yml
+++ b/.github/workflows/codeql-guard.yml
@@ -58,7 +58,7 @@ jobs:
       GH_TOKEN: ${{ github.token }}
       ORG_CODE_SEARCH_TOKEN: ${{ secrets.EVALOPS_ORG_READ_TOKEN }}
     steps:
-      - name: Search org for github/codeql-action references
+      - name: Search org for github/codeql-action uses
         shell: bash
         run: |
           set -euo pipefail
@@ -68,19 +68,28 @@ jobs:
           fi
           response="$(
             GH_TOKEN="${ORG_CODE_SEARCH_TOKEN}" gh api -X GET search/code \
-              -f q='org:evalops "github/codeql-action" path:.github/workflows' \
+              -f q='org:evalops "uses: github/codeql-action" path:.github/workflows' \
               --jq '.items[] | "\(.repository.full_name)\t\(.path)"' \
           )"
-          if [ -z "${response}" ]; then
+          hits=()
+          while IFS=$'\t' read -r repo path; do
+            if [ -z "${repo}" ]; then
+              continue
+            fi
+            if [ "${repo}" = "evalops/.github" ] && [ "${path}" = ".github/workflows/codeql-guard.yml" ]; then
+              continue
+            fi
+            hits+=("${repo}"$'\t'"${path}")
+          done <<< "${response}"
+          if [ "${#hits[@]}" -eq 0 ]; then
             echo "ok: no CodeQL workflow files found in any evalops repo"
             exit 0
           fi
-          mapfile -t hits <<< "${response}"
           {
             echo "## codeql-guard tripped"
             echo
             echo "EvalOps does not run GitHub CodeQL (see \`SECURITY.md\` and the Blacksmith"
-            echo "code security configuration). The following workflow files reference"
+            echo "code security configuration). The following workflow files use"
             echo "\`github/codeql-action\` and need to be removed or the policy amended:"
             echo
             for h in "${hits[@]}"; do

From cbd699eefb291651541644975b91ca93e5f8bfaf Mon Sep 17 00:00:00 2001
From: Cursor Agent <cursoragent@cursor.com>
Date: Thu, 30 Apr 2026 13:44:54 +0000
Subject: [PATCH 2/2] Exclude codeql-guard workflow from org sweep

---
 .github/workflows/codeql-guard.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql-guard.yml b/.github/workflows/codeql-guard.yml
index ee35944..4e2526b 100644
--- a/.github/workflows/codeql-guard.yml
+++ b/.github/workflows/codeql-guard.yml
@@ -69,7 +69,9 @@ jobs:
           response="$(
             GH_TOKEN="${ORG_CODE_SEARCH_TOKEN}" gh api -X GET search/code \
               -f q='org:evalops "uses: github/codeql-action" path:.github/workflows' \
-              --jq '.items[] | "\(.repository.full_name)\t\(.path)"' \
+              --jq '.items[]
+                | select(.repository.full_name != "evalops/.github" or .path != ".github/workflows/codeql-guard.yml")
+                | "\(.repository.full_name)\t\(.path)"' \
           )"
           hits=()
           while IFS=$'\t' read -r repo path; do