Fix: quote 0x literals in workflows; add workflow YAML guard

[MontrealAI]

Motivation

• GitHub Actions workflows were failing because long 0x... hex literals in .github/workflows/*.yml were being parsed as YAML ints and causing YAML parse errors before jobs ran.
• The change ensures those environment/private-key style values are treated as strings to avoid YAML 1.1 integer interpretation.
• A regression guard is required so CI will detect if unquoted 0x literals are reintroduced in future changes.

Description

• Quote unquoted 0x[0-9a-fA-F]{16,} literals across workflow files under .github/workflows/ (notably demo-asi-global, demo-asi-takeoff, demo-aurora, and multiple demo-zenith-* workflows). Only surrounding quotes were added; values were not modified.
• Add scripts/ci/verify-workflow-yaml.sh, a small checker that rg/greps for unquoted 0x literals and exits non-zero with a helpful message when found.
• Add an npm script ci:verify-workflow-yaml and wire it into the existing ci:preflight script so workflow YAML issues fail fast during preflight.

Testing

• Ran npm ci successfully to install dependencies.
• Ran npm run ci:preflight which executed the new ci:verify-workflow-yaml and the existing toolchain/lock checks and succeeded.
• Executed the new guard directly via bash scripts/ci/verify-workflow-yaml.sh and it returned success (no offending lines detected).
• Ran npm run ci:verify-toolchain, npm run ci:sync-contexts -- --check, npm run ci:verify-contexts, npm run ci:verify-companion-contexts, and npm run ci:verify-summary-needs, all of which completed successfully.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0bb1185159

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fail the guard when ripgrep cannot run

The || true here suppresses any failure from the rg invocation, so if ripgrep isn’t installed on a developer machine or it errors while scanning .github/workflows, the script exits successfully with an empty match set and ci:preflight won’t enforce the YAML guard at all. This creates a false sense of safety because the guard can silently skip the check exactly when it is needed.

Useful? React with 👍 / 👎.