ci: deepen shared GitHub Actions rails

[haasonsaas]

Summary

• add explicit timeouts to shared reusable jobs so callers cannot hang indefinitely
• run Codex Rails validation on the org Blacksmith runner by default, with an override input for callers
• run repo Ruby tests when present and add classifier coverage for agent-assisted, agent-authored, mixed, incomplete, and GITHUB_OUTPUT behavior
• document that production callers should pin both the reusable workflow ref and helper_ref to the same evalops/.github SHA

Research notes

• GitHub reusable workflow caller jobs support only a limited set of job keys, so timeout policy belongs in the called workflow.
• GitHub documents that a reusable workflow's github context is associated with the caller workflow; helper checkout refs must therefore be explicit when the helper lives in evalops/.github.

Verification

• actionlint .github/workflows/agent-authorship-label.yml .github/workflows/codex-rails-check.yml .github/workflow-templates/agent-authorship-labels.yml
• ruby -Itest test/classify_agent_authorship_test.rb
• ruby -c .github/scripts/classify-agent-authorship.rb
• git diff --check

[cursor]

PR Summary

Medium Risk
Changes reusable GitHub Actions workflows (runner selection, globbing, and new test execution), which can impact CI reliability and potentially cause new failures or timeouts across consuming repos.

Overview
Hardens shared CI workflows by adding timeout-minutes: 10 to the reusable agent-authorship-label job and the codex-rails-check validation job to prevent indefinite hangs.

Improves reusability and validation coverage by letting codex-rails-check run on a configurable runner_label (defaulting to the Blacksmith runner), expanding path triggers to include test/**, enabling globstar for issue-template discovery, and running repository Ruby tests when present.

Adds classifier regression tests and guidance by introducing test/classify_agent_authorship_test.rb to cover authorship label classification and GITHUB_OUTPUT behavior, and updating profile/AGENT_AUTHORSHIP.md to recommend pinning both the reusable workflow ref and helper_ref to the same immutable SHA in production.

^{Reviewed by Cursor Bugbot for commit db73b88. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit db73b88. Configure here.}