Retire GitHub-managed CodeQL tombstone workflows

[haasonsaas]

Summary

EvalOps does not use CodeQL. The org security baseline is enforced with Code Security / CodeQL disabled, but GitHub still reports active managed workflow tombstones at dynamic/github-code-scanning/codeql on three repos.

Live evidence from 2026-05-21

Org security configuration:

• Config 245233: EvalOps security baseline recommended
• enforcement: enforced
• advanced_security: secret_protection
• code_scanning_default_setup: disabled

Affected active repos:

Repo	Workflow ID	Path	State	Repo Code Security
evalops/platform	267390102	dynamic/github-code-scanning/codeql	active	disabled
evalops/cerebro	264147529	dynamic/github-code-scanning/codeql	active	disabled
evalops/chat	254727389	dynamic/github-code-scanning/codeql	active	disabled

Verification already done:

• gh search code 'codeql org:evalops path:.github/workflows' returns [].
• gh search code 'github/codeql-action org:evalops' returns no checked-in workflow usage.
• Open org CodeQL alerts: 0.
• Branch protection/rulesets have no CodeQL / Code Quality / code scanning required checks.
• Latest dynamic CodeQL runs are older than the current enforced disable state:
  • platform: 2026-05-03T03:33:57Z
  • cerebro: 2026-05-21T00:42:02Z
  • chat: 2026-05-21T00:42:03Z

Attempts already made:

• Re-attached config 245233 directly to platform, cerebro, and chat; API returned {}.
• GET /repos/<repo>/code-scanning/default-setup now returns 403 Code Security must be enabled for this repository to use code scanning, confirming code scanning is functionally off.
• PUT /repos/<repo>/actions/workflows/<id>/disable still returns 422 Unable to disable this workflow, because these are GitHub-managed dynamic workflows.

Acceptance criteria

• GET /repos/<repo>/actions/workflows/<id> for the three workflow IDs above no longer returns state: active, or the workflows disappear from /actions/workflows entirely.
• No new dynamic/github-code-scanning/codeql runs are created after 2026-05-21T04:42:55Z.
• Org config 245233 remains enforced with code_scanning_default_setup: disabled.
• Checked-in workflows remain free of github/codeql-action and *codeql* workflow paths.

Notes

This is a GitHub-managed workflow tombstone, not a checked-in workflow problem. The user-side disable API is blocked, so this should stay open until GitHub Support/backend GC clears the managed workflow state.

[haasonsaas]

Follow-up live audit on 2026-05-21 found one additional GitHub-managed CodeQL tombstone:

• evalops/fermata workflow 254669726, path dynamic/github-code-scanning/codeql, state active
• gh workflow disable 254669726 --repo evalops/fermata returns HTTP 422: Unable to disable this workflow
• repo security_and_analysis.code_security is null, and GET /repos/evalops/fermata/code-scanning/default-setup returns 403 Code Security must be enabled, so default setup is not currently configurable/enabled even though the dynamic workflow record remains active
• recent CodeQL runs are old (2026-05-02 latest observed), with no current queued/in-progress run found in this audit

Also re-checked org code search: no checked-in .github/workflows usage of github/codeql-action; remaining matches are policy/runbook guardrails that forbid CodeQL.

[haasonsaas]

Update from the 2026-05-21 live CodeQL kill audit:

• Repo code search finds no checked-in workflow invoking github/codeql-action under evalops/*; hits are guardrail policy/tests/docs or incidental prose.
• evalops/cerebro still has an old workflow record 268046802 for .github/workflows/codeql.yml, but it is disabled_manually and the file is no longer present on main.
• Remaining GitHub-managed dynamic records still show as active and still reject the workflow disable endpoint with HTTP 422:
  • evalops/fermata workflow 254669726 path dynamic/github-code-scanning/codeql
  • evalops/cerebro workflow 264147529 path dynamic/github-code-scanning/codeql
  • evalops/chat workflow 254727389 path dynamic/github-code-scanning/codeql
  • evalops/platform workflow 267390102 path dynamic/github-code-scanning/codeql
• Cerebro repo policy now forbids **/codeql*.yml and **/codeql*.yaml for the EvalOps-on-EvalOps action factory repos, so agents should not be able to reintroduce CodeQL via PR policy-compliant action lanes.

No CodeQL runs were triggered during this audit.

[haasonsaas]

Additional live verification on 2026-05-21:

• gh search code 'github/codeql-action org:evalops path:.github/workflows' returned [].
• gh search code 'codeql org:evalops path:.github/workflows' returned [].
• Remaining CodeQL workflow records are GitHub-managed dynamic scanner records only:
  • evalops/platform workflow 267390102, dynamic/github-code-scanning/codeql, state active
  • evalops/cerebro workflow 264147529, dynamic/github-code-scanning/codeql, state active
  • evalops/chat workflow 254727389, dynamic/github-code-scanning/codeql, state active
  • archived evalops/fermata workflow 254669726, dynamic/github-code-scanning/codeql, state active
• Disable attempts against each dynamic workflow returned HTTP 422: Unable to disable this workflow.
• Old checked-in codeql.yml workflow records on evalops/platform and evalops/cerebro are disabled_manually; no codeql.yml files are present on main by code search.
• Guardrails: Cerebro action-factory policy now forbids **/codeql*.yml and **/codeql*.yaml; #1249 is in flight to align live policy checks without adding CodeQL.

So the repository-level kill state is done. The only remaining kill switch is GitHub code-scanning/security settings for those dynamic records, not workflow files.

[haasonsaas]

CodeQL kill switch follow-up, 2026-05-21:

• Re-attached enforced org security configuration 245233 (EvalOps security baseline recommended) to scope: all repos.
• Verified default for new repos is this baseline with code_scanning_default_setup: disabled and advanced_security: secret_protection.
• Verified all repos attached to the baseline show enforced.
• Verified representative active repos now report security_and_analysis.code_security.status == disabled: deploy, platform, cerebro, chat, nimbus, maestro-internal, conductor, ensemble, console, hopper, fabric.
• Verified checked-in workflow search is clean:
  • gh search code 'codeql org:evalops path:.github/workflows' => []
  • gh search code 'github/codeql-action org:evalops path:.github/workflows' => []
• Dynamic GitHub-managed workflow records still exist and cannot be disabled through the Actions workflow API; GitHub returns 422 Unable to disable this workflow for the generated dynamic/github-code-scanning/codeql records on platform, cerebro, and chat. These are now backed by repo/org security state that has Code Security disabled, so the actual CodeQL runner path is off rather than merely hidden in source.
• Latest dynamic CodeQL runs observed before/around the baseline change:
  • platform: latest listed run 2026-05-03T03:33:57Z
  • cerebro: latest listed run 2026-05-21T00:42:02Z
  • chat: latest listed run 2026-05-21T00:42:03Z

Net: CodeQL is not present in checked-in workflows, not default-enabled for new repos, and Code Security is disabled across the active repos rechecked after reattaching the enforced baseline. The only remaining CodeQL-looking objects are GitHub's undeletable generated workflow records.