From b44c0b8967e3ece4e567897077907ac7f40919d7 Mon Sep 17 00:00:00 2001
From: Aaron Stainback <aaron_bond@yahoo.com>
Date: Fri, 24 Apr 2026 07:45:02 -0400
Subject: [PATCH 1/3] =?UTF-8?q?tools:=20lint/runner-version-freshness.sh?=
 =?UTF-8?q?=20=E2=80=94=20structural=20enforcement=20for=20Otto-213=20dura?=
 =?UTF-8?q?ble=20lesson?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Otto-214 implementation of the tooling-level enforcement
I proposed Otto-213. Memory-alone was not sufficient to
stop the "write a stale version number" recurrence
pattern; this script adds a CI-fail gate.

Behavior:

- Walks .github/workflows/*.yml files
- Extracts runs-on: + os: matrix lines
- Fails (exit 2) if any line references a STALE runner
  version (ubuntu-22.04, macos-14, macos-15, windows-2022,
  ubuntu-20.04, macos-13, macos-15-intel, etc.)
- Warns (exit 3) if the allow-list itself is stale (>30
  days since LAST_VERIFIED)
- Prints the canonical list of ALLOWED labels on failure
  + the authoritative GitHub docs URL for re-verification

Allow-list verified 2026-04-24 via
https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
exact quote "Use of the standard GitHub-hosted runners
is free and unlimited on public repositories."

First-run detects 13 stale-label hits across codeql.yml,
gate.yml, github-settings-drift.yml (plus stale comment-
block references in gate.yml from the pre-correction
history). These will be cleaned up by PR #359 for
gate.yml; codeql.yml + github-settings-drift.yml need
separate follow-up PRs.

Does NOT wire into gate.yml automatically — separate
step to add the lint check after the baseline is green.
Premature enforcement would block every current PR.
Sequencing: (1) this PR ships the tool; (2) follow-up
PRs clean up existing stale refs (gate.yml already
covered by #359; others queued); (3) once baseline is
clean, add to gate.yml lint job.

Composes with:

- Otto-213 version-numbers-require-websearch memory
- Otto-212 use-latest-tags + security-hygiene directive
- Otto-210/211 macOS-is-free + M1-not-Intel corrections
- FACTORY-HYGIENE row #43 safe-pattern compliance
- Analogous pattern to audit-cross-platform-parity.sh
  (detect-only-first, enforce-when-baseline-green)

Test plan:

- Runs clean when no stale labels present
- Exits 2 with clear message when stale labels present
- Warns when allow-list >30 days old
- Shellcheck clean (SC2001 note acknowledged; the
  non-bash-4 sed-style substitution is intentional for
  macOS default-bash-3.x compatibility per FACTORY-
  HYGIENE row #51 cross-platform parity)
- Portable: no mapfile (bash 4+ only); uses while-read
  loop pattern that works in bash 3.x

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 tools/lint/runner-version-freshness.sh | 183 +++++++++++++++++++++++++
 1 file changed, 183 insertions(+)
 create mode 100755 tools/lint/runner-version-freshness.sh

diff --git a/tools/lint/runner-version-freshness.sh b/tools/lint/runner-version-freshness.sh
new file mode 100755
index 00000000..6b0dbf65
--- /dev/null
+++ b/tools/lint/runner-version-freshness.sh
@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+# tools/lint/runner-version-freshness.sh
+#
+# Fails CI when a GitHub Actions workflow pins a runner
+# to a version-older-than-latest. Otto-213 durable
+# compounding-failure mitigation: training-data version
+# numbers are stale by definition; structural lint is
+# the enforcement mechanism that memory-alone doesn't
+# provide.
+#
+# Allow-list sourced from the authoritative GitHub docs
+# page:
+#   https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
+# The "Standard GitHub-hosted runners for public
+# repositories" table lists the current standard-runner
+# labels. Public-repo-free applies to these labels only.
+#
+# Allow-list verified: 2026-04-24 via the above URL.
+# Refresh cadence: the ALLOWED_LABELS list below has an
+# explicit "LAST_VERIFIED" timestamp. If the timestamp
+# is >30 days old, the script warns (not fails) reminding
+# the operator to re-verify. When GitHub announces a new
+# stable runner (macos-27 GA, windows-2028 GA, etc.),
+# the allow-list must be updated + LAST_VERIFIED bumped.
+#
+# Deliberately NOT allowed: older pinned versions
+# (ubuntu-22.04, macos-14, macos-15, windows-2022,
+# windows-2019, etc.). These were "latest" at some
+# prior point but are stale now. Pinning to them creates
+# upgrade debt the moment the pin lands.
+#
+# Usage:
+#   tools/lint/runner-version-freshness.sh                # lint all workflows
+#   tools/lint/runner-version-freshness.sh <file>...      # lint specific files
+#
+# Exit codes:
+#   0  all runner labels are current
+#   1  environment / usage error
+#   2  one or more stale labels detected
+#   3  allow-list age warning (stale LAST_VERIFIED > 30 days)
+
+set -euo pipefail
+
+# Allow-list verified 2026-04-24. Source URL:
+# https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
+LAST_VERIFIED="2026-04-24"
+VERIFY_URL="https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories"
+
+ALLOWED_LABELS=(
+  # Linux x64 — latest LTS + slim variant
+  "ubuntu-slim"
+  "ubuntu-latest"
+  "ubuntu-24.04"
+
+  # Linux arm64 — no -latest alias exists yet; pin to
+  # latest specific version available
+  "ubuntu-24.04-arm"
+
+  # Windows x64 — latest GA + rolling alias + 2025 vs
+  # vs2026 variant
+  "windows-latest"
+  "windows-2025"
+  "windows-2025-vs2026"
+
+  # Windows arm64
+  "windows-11-arm"
+
+  # macOS arm64 (Apple Silicon) — latest GA + rolling
+  "macos-latest"
+  "macos-26"
+
+  # macOS Intel — latest GA
+  "macos-26-intel"
+
+  # Self-hosted labels — not on the standard list but
+  # allowed-by-convention when the self-hosted pool is
+  # configured. Add here if needed with comment
+  # justifying the exception.
+)
+
+STALE_LABELS=(
+  "ubuntu-22.04"
+  "ubuntu-22.04-arm"
+  "ubuntu-20.04"
+  "macos-14"
+  "macos-15"
+  "macos-15-intel"
+  "macos-13"
+  "macos-13-xlarge"
+  "windows-2022"
+  "windows-2019"
+)
+
+# Warn if allow-list is stale.
+_verify_age_ok() {
+  # Portable: compute days since LAST_VERIFIED on both
+  # Linux (GNU date) and macOS (BSD date).
+  local now_epoch last_epoch age_days
+  now_epoch="$(date -u +%s)"
+  if date -j -f "%Y-%m-%d" "$LAST_VERIFIED" "+%s" >/dev/null 2>&1; then
+    last_epoch="$(date -j -f "%Y-%m-%d" "$LAST_VERIFIED" "+%s")"
+  elif date -d "$LAST_VERIFIED" "+%s" >/dev/null 2>&1; then
+    last_epoch="$(date -d "$LAST_VERIFIED" "+%s")"
+  else
+    echo "WARN: could not parse LAST_VERIFIED=$LAST_VERIFIED on this platform" >&2
+    return 0
+  fi
+  age_days=$(( (now_epoch - last_epoch) / 86400 ))
+  if (( age_days > 30 )); then
+    echo "WARN: runner-version allow-list last verified $age_days days ago ($LAST_VERIFIED)." >&2
+    echo "      Re-verify against: $VERIFY_URL" >&2
+    echo "      Then bump LAST_VERIFIED in this script." >&2
+    return 1
+  fi
+  return 0
+}
+
+# Discover files.
+if [ $# -eq 0 ]; then
+  files=()
+  while IFS= read -r f; do files+=("$f"); done < <(find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) 2>/dev/null | sort)
+else
+  files=("$@")
+fi
+
+if [ "${#files[@]}" -eq 0 ]; then
+  echo "no workflow files found; nothing to lint"
+  exit 0
+fi
+
+# Build regex alternation of stale labels for one grep.
+stale_pattern="$(IFS='|'; echo "${STALE_LABELS[*]}")"
+
+fail=0
+warn=0
+
+for file in "${files[@]}"; do
+  # Extract lines that look like runner-label references.
+  # Match:
+  #   runs-on: <label>
+  #   runs-on: ${{ matrix.os }}  (ignored — the matrix
+  #                                content is where the
+  #                                labels live)
+  #   os: [label1, label2, ...]
+  #   - <label> (inside a matrix list continuation)
+  #
+  # Then grep for any STALE_LABEL in those lines.
+  matches="$(grep -nE "runs-on:|\bos:\b|- ${stale_pattern}" "$file" 2>/dev/null || true)"
+  hits="$(echo "$matches" | grep -E "\b(${stale_pattern})\b" || true)"
+  if [ -n "$hits" ]; then
+    echo "STALE RUNNER LABEL(S) in $file:"
+    echo "$hits" | sed 's/^/  /'
+    fail=1
+  fi
+done
+
+if _verify_age_ok; then
+  : # fresh
+else
+  warn=1
+fi
+
+if [ "$fail" = "1" ]; then
+  echo ""
+  echo "One or more workflow files pin stale runner versions."
+  echo "Update to the current standard-runner labels. Canonical list:"
+  for l in "${ALLOWED_LABELS[@]}"; do
+    echo "  - $l"
+  done
+  echo ""
+  echo "Source: $VERIFY_URL"
+  exit 2
+fi
+
+if [ "$warn" = "1" ]; then
+  # Warn-only exit: CI can be configured to treat exit 3
+  # as fail-soft if the allow-list freshness is itself
+  # a hard requirement.
+  exit 3
+fi
+
+echo "ok: all workflow runner labels are current (verified $LAST_VERIFIED)"
+exit 0

From 55eeb4ce6b186fba0b80c6b48d3872a9dcac0bd0 Mon Sep 17 00:00:00 2001
From: Aaron Stainback <aaron_bond@yahoo.com>
Date: Sat, 25 Apr 2026 00:59:39 -0400
Subject: [PATCH 2/3] =?UTF-8?q?drain(#360=20P0=C3=972=20+=20P1+P2+P1+P1=20?=
 =?UTF-8?q?Codex):=20regex-escape=20+=20BSD-grep=20portable=20+=20comment-?=
 =?UTF-8?q?strip=20+=20rolling-alias=20forbidden=20+=20warn-only=20exit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Six Codex findings on tools/lint/runner-version-freshness.sh:

P0 (line 133) — regex-metachar escape:
`stale_pattern` was built from raw label strings; `.` in
ubuntu-22.04 was a regex wildcard, producing false matches/
misses. Added `escape_for_regex` helper that escapes . + *
? ( ) [ ] { } | \ / before alternation.

P0 (line 149) — BSD-grep portability:
`\b` word-boundary doesn't work in BSD grep (macOS default;
treated as backspace per POSIX ERE). Replaced with explicit
non-word boundaries: `([^A-Za-z0-9_]|^)` start +
`([^A-Za-z0-9_]|$)` end, expressed without backrefs so it
works in both GNU and BSD grep.

P1 (line 149-1) — exclude comments:
Stale-label-in-comment was triggering false positives. Added
a comment-stripping pre-filter (`grep -vE '^[[:space:]]*#'`)
so YAML comments are excluded from the scan.

P1 (line 149-2) — explicit-file-not-found masking:
`grep ... 2>/dev/null || true` silently swallowed missing-
file errors and reported 'ok' for nothing-actually-linted.
Added an explicit `[ ! -r "$file" ]` precheck that fails
loud (exit 2) rather than passing silent.

P1 (line 73) — rolling-aliases forbidden by convention:
ALLOWED_LABELS included ubuntu-latest / windows-latest /
macos-latest, contradicting the repo convention of pinned
major-OS-version labels. Removed from ALLOWED_LABELS, added
a separate ROLLING_ALIASES forbidden list, added a
distinct error-class scan ('ROLLING-ALIAS RUNNER LABEL') so
contributors get a different error message than for
stale-version pins. Same fail=1 flag, different operator
message.

P2 (line 179) — warn-only exit on stale freshness:
Header documents this as warning-only; code exited 3 (which
some CI configurations treat as failure). Updated to exit 0
on stale-freshness-only path; warning is still printed to
stderr. Stale-version-detection still exit 2 (a real failure).

Smoke-test note: the new script now flags ubuntu-22.04 in
gate.yml as stale (real finding) — exit 2 with the expected
output. gate.yml's own runner-pin upgrade is out of scope
for this PR; will land separately.
---
 tools/lint/runner-version-freshness.sh | 100 ++++++++++++++++++-------
 1 file changed, 73 insertions(+), 27 deletions(-)

diff --git a/tools/lint/runner-version-freshness.sh b/tools/lint/runner-version-freshness.sh
index 6b0dbf65..0efbc6e7 100755
--- a/tools/lint/runner-version-freshness.sh
+++ b/tools/lint/runner-version-freshness.sh
@@ -47,26 +47,28 @@ LAST_VERIFIED="2026-04-24"
 VERIFY_URL="https://docs.github.com/en/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories"
 
 ALLOWED_LABELS=(
-  # Linux x64 — latest LTS + slim variant
+  # Pinned major-OS-version labels per repo convention —
+  # the rolling -latest aliases (ubuntu-latest /
+  # windows-latest / macos-latest) are explicitly NOT in
+  # the allow-list. Pinned labels make CI reproducibility
+  # auditable; rolling aliases silently drift when GitHub
+  # rotates the underlying image.
+
+  # Linux x64
   "ubuntu-slim"
-  "ubuntu-latest"
   "ubuntu-24.04"
 
-  # Linux arm64 — no -latest alias exists yet; pin to
-  # latest specific version available
+  # Linux arm64 — pin to latest specific version available
   "ubuntu-24.04-arm"
 
-  # Windows x64 — latest GA + rolling alias + 2025 vs
-  # vs2026 variant
-  "windows-latest"
+  # Windows x64 — latest GA + 2025 vs vs2026 variant
   "windows-2025"
   "windows-2025-vs2026"
 
   # Windows arm64
   "windows-11-arm"
 
-  # macOS arm64 (Apple Silicon) — latest GA + rolling
-  "macos-latest"
+  # macOS arm64 (Apple Silicon) — latest GA
   "macos-26"
 
   # macOS Intel — latest GA
@@ -78,6 +80,17 @@ ALLOWED_LABELS=(
   # justifying the exception.
 )
 
+# Rolling aliases — explicitly forbidden in the repo
+# convention (CI-reproducibility-by-pinning). These are
+# tracked separately from STALE_LABELS so a contributor
+# typing `ubuntu-latest` gets a distinct error from a
+# stale-version error.
+ROLLING_ALIASES=(
+  "ubuntu-latest"
+  "windows-latest"
+  "macos-latest"
+)
+
 STALE_LABELS=(
   "ubuntu-22.04"
   "ubuntu-22.04-arm"
@@ -129,27 +142,58 @@ if [ "${#files[@]}" -eq 0 ]; then
 fi
 
 # Build regex alternation of stale labels for one grep.
-stale_pattern="$(IFS='|'; echo "${STALE_LABELS[*]}")"
+# Escape regex metachars (. + * ? ( ) [ ] { } | \ /) in
+# labels so `ubuntu-22.04` matches literally, not
+# `ubuntu-22<any-char>04`.
+escape_for_regex() {
+  printf '%s' "$1" | sed -e 's#[][\\.*^$+?(){}|/]#\\&#g'
+}
+escaped_stales=()
+for label in "${STALE_LABELS[@]}"; do
+  escaped_stales+=("$(escape_for_regex "$label")")
+done
+stale_pattern="$(IFS='|'; echo "${escaped_stales[*]}")"
+
+# Portable word-boundaries: BSD grep (macOS default) and
+# POSIX ERE do not honor `\b`. Express boundary via
+# explicit non-word character classes that work in both
+# GNU and BSD grep.
+nonword_start='([^A-Za-z0-9_]|^)'
+nonword_end='([^A-Za-z0-9_]|$)'
 
 fail=0
 warn=0
 
 for file in "${files[@]}"; do
-  # Extract lines that look like runner-label references.
-  # Match:
-  #   runs-on: <label>
-  #   runs-on: ${{ matrix.os }}  (ignored — the matrix
-  #                                content is where the
-  #                                labels live)
-  #   os: [label1, label2, ...]
-  #   - <label> (inside a matrix list continuation)
-  #
-  # Then grep for any STALE_LABEL in those lines.
-  matches="$(grep -nE "runs-on:|\bos:\b|- ${stale_pattern}" "$file" 2>/dev/null || true)"
-  hits="$(echo "$matches" | grep -E "\b(${stale_pattern})\b" || true)"
+  # Verify file exists and is readable. Without this, the
+  # grep below would silently swallow a missing-file error
+  # and report 'ok' for nothing-actually-linted.
+  if [ ! -r "$file" ]; then
+    echo "ERROR: cannot read $file (does not exist or unreadable)" >&2
+    fail=1
+    continue
+  fi
+  # Strip YAML comment-only lines (first non-whitespace
+  # char is `#`) so stale labels mentioned in comments
+  # don't trigger false positives.
+  uncommented="$(grep -vE '^[[:space:]]*#' "$file" || true)"
+  # Extract lines that look like runner-label references,
+  # then grep for any STALE_LABEL with portable
+  # word-boundaries.
+  matches="$(printf '%s\n' "$uncommented" | grep -nE "runs-on:|(^|[^A-Za-z0-9_])os:|^[[:space:]]*-[[:space:]]+(${stale_pattern})" || true)"
+  hits="$(printf '%s\n' "$matches" | grep -E "${nonword_start}(${stale_pattern})${nonword_end}" || true)"
   if [ -n "$hits" ]; then
     echo "STALE RUNNER LABEL(S) in $file:"
-    echo "$hits" | sed 's/^/  /'
+    printf '%s\n' "$hits" | sed 's/^/  /'
+    fail=1
+  fi
+  # Same scan against rolling-alias forbidden list.
+  rolling_pattern="$(IFS='|'; echo "${ROLLING_ALIASES[*]}")"
+  rolling_matches="$(printf '%s\n' "$uncommented" | grep -nE "runs-on:|(^|[^A-Za-z0-9_])os:|^[[:space:]]*-[[:space:]]+(${rolling_pattern})" || true)"
+  rolling_hits="$(printf '%s\n' "$rolling_matches" | grep -E "${nonword_start}(${rolling_pattern})${nonword_end}" || true)"
+  if [ -n "$rolling_hits" ]; then
+    echo "ROLLING-ALIAS RUNNER LABEL(S) in $file (use a pinned version per repo convention):"
+    printf '%s\n' "$rolling_hits" | sed 's/^/  /'
     fail=1
   fi
 done
@@ -173,10 +217,12 @@ if [ "$fail" = "1" ]; then
 fi
 
 if [ "$warn" = "1" ]; then
-  # Warn-only exit: CI can be configured to treat exit 3
-  # as fail-soft if the allow-list freshness is itself
-  # a hard requirement.
-  exit 3
+  # Header documents the freshness check as warning-only;
+  # the warning has already been printed to stderr by
+  # _verify_age_ok. Exit 0 so this path doesn't fail CI;
+  # operators see the warning and bump LAST_VERIFIED on
+  # the next refresh tick.
+  exit 0
 fi
 
 echo "ok: all workflow runner labels are current (verified $LAST_VERIFIED)"

From 391b045ab4cb69aa548509f8e38d4e807e51a6c2 Mon Sep 17 00:00:00 2001
From: Aaron Stainback <aaron_bond@yahoo.com>
Date: Sat, 25 Apr 2026 01:05:56 -0400
Subject: [PATCH 3/3] drain(#360 P1+P2 Codex): quoted-matrix-entries +
 inline-comment stripping
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two more substantive Codex findings:

P1 (line 183) — quoted matrix entries missed:
The matrix-entry prefilter was `^[[:space:]]*-[[:space:]]+`
which only matched bare `- <label>`. Common YAML syntax
`- "ubuntu-22.04"` or `- 'macos-15'` was being missed.
Updated prefilter to `^[[:space:]]*-[[:space:]]+(['\"]?)`
which optionally consumes a leading single or double quote.
Smoke-tested with mixed quoting + matrix block: catches both
forms now.

P2 (line 179) — trailing inline comments not stripped:
`runs-on: ubuntu-24.04 # was ubuntu-22.04` was falsely
flagging `ubuntu-22.04` in the trailing comment. Added a
second sed pass: `sed -E 's/[[:space:]]+#.*$//'` strips
everything after the first ` #` (YAML-spec comment-start
sentinel with required leading space). Conservative: doesn't
handle `#` inside quoted strings (rare in workflow YAML).
Smoke-tested: trailing comments correctly stripped.
---
 tools/lint/runner-version-freshness.sh | 28 ++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/tools/lint/runner-version-freshness.sh b/tools/lint/runner-version-freshness.sh
index 0efbc6e7..fc0588a1 100755
--- a/tools/lint/runner-version-freshness.sh
+++ b/tools/lint/runner-version-freshness.sh
@@ -173,14 +173,26 @@ for file in "${files[@]}"; do
     fail=1
     continue
   fi
-  # Strip YAML comment-only lines (first non-whitespace
-  # char is `#`) so stale labels mentioned in comments
-  # don't trigger false positives.
-  uncommented="$(grep -vE '^[[:space:]]*#' "$file" || true)"
+  # Two-pass YAML comment stripping:
+  # 1. Drop full-line comments (first non-whitespace = `#`).
+  # 2. Strip trailing comments — anything after a ` #` (with
+  #    a leading space, the YAML-spec comment-start
+  #    sentinel) on lines that aren't already comment-only.
+  #    Conservative: doesn't try to handle `#` inside
+  #    quoted strings (rare in workflow YAML); tolerates
+  #    the corner case at the cost of an occasional false
+  #    positive.
+  uncommented="$(
+    grep -vE '^[[:space:]]*#' "$file" \
+      | sed -E 's/[[:space:]]+#.*$//'
+  )"
   # Extract lines that look like runner-label references,
-  # then grep for any STALE_LABEL with portable
-  # word-boundaries.
-  matches="$(printf '%s\n' "$uncommented" | grep -nE "runs-on:|(^|[^A-Za-z0-9_])os:|^[[:space:]]*-[[:space:]]+(${stale_pattern})" || true)"
+  # then grep for any STALE_LABEL with portable word-
+  # boundaries. Matrix-entry prefilter accepts both bare
+  # `- <label>` AND quoted `- "<label>"` / `- '<label>'`
+  # forms (common YAML matrix syntax).
+  matrix_prefix='^[[:space:]]*-[[:space:]]+(['"'"'"]?)'
+  matches="$(printf '%s\n' "$uncommented" | grep -nE "runs-on:|(^|[^A-Za-z0-9_])os:|${matrix_prefix}(${stale_pattern})" || true)"
   hits="$(printf '%s\n' "$matches" | grep -E "${nonword_start}(${stale_pattern})${nonword_end}" || true)"
   if [ -n "$hits" ]; then
     echo "STALE RUNNER LABEL(S) in $file:"
@@ -189,7 +201,7 @@ for file in "${files[@]}"; do
   fi
   # Same scan against rolling-alias forbidden list.
   rolling_pattern="$(IFS='|'; echo "${ROLLING_ALIASES[*]}")"
-  rolling_matches="$(printf '%s\n' "$uncommented" | grep -nE "runs-on:|(^|[^A-Za-z0-9_])os:|^[[:space:]]*-[[:space:]]+(${rolling_pattern})" || true)"
+  rolling_matches="$(printf '%s\n' "$uncommented" | grep -nE "runs-on:|(^|[^A-Za-z0-9_])os:|${matrix_prefix}(${rolling_pattern})" || true)"
   rolling_hits="$(printf '%s\n' "$rolling_matches" | grep -E "${nonword_start}(${rolling_pattern})${nonword_end}" || true)"
   if [ -n "$rolling_hits" ]; then
     echo "ROLLING-ALIAS RUNNER LABEL(S) in $file (use a pinned version per repo convention):"