ci: Ignore OAuth scopes in endpoint check

[h-tsuboi918]

Please ensure you have read the contribution guide before creating a pull request.

Link to Issue or Description of Change

1. Link to an existing issue (if applicable):

• Closes: CI googleapis.com endpoint check falsely flags OAuth scopes #6238

2. Or, if no issue exists, describe the change:

Problem:
The File Content Compliance CI check treats any changed Python file containing a googleapis.com URL as a file with a hardcoded service endpoint. This causes false positives for OAuth scope URLs such as https://www.googleapis.com/auth/cloud-platform, which are not service endpoints and do not have .mtls.googleapis.com counterparts.

Solution:
Update the CI check to classify matches at the URL level before building FILES_WITH_ENDPOINTS. The check now excludes OAuth scopes under https://www.googleapis.com/auth/, while still checking non-scope googleapis.com URLs for an mTLS counterpart.

Testing Plan

Unit Tests:

• I have added or updated unit tests for my change.
• All unit tests pass locally.

No Python unit tests were added because this change only updates a GitHub Actions shell check.

Local shell verification:

• A file containing only https://www.googleapis.com/auth/cloud-platform is not included in FILES_WITH_ENDPOINTS.
• A file containing https://example.googleapis.com/v1/projects is included in FILES_WITH_ENDPOINTS.
• A file containing https://example.googleapis.com/v1/projects without .mtls.googleapis.com is reported in FILES_MISSING_MTLS.
• A file containing both https://example.googleapis.com/v1/projects and https://example.mtls.googleapis.com/v1/projects is not reported in FILES_MISSING_MTLS.
• A file containing an OAuth scope and a service endpoint on the same line still reports the service endpoint file.

Test fixtures used locally:

# /tmp/adk-ci-check-oauth-scope.py
SCOPE = "https://www.googleapis.com/auth/cloud-platform"

# /tmp/adk-ci-check-service-endpoint.py
ENDPOINT = "https://example.googleapis.com/v1/projects"

# /tmp/adk-ci-check-service-endpoint-with-mtls.py
ENDPOINT = "https://example.googleapis.com/v1/projects"
MTLS_ENDPOINT = "https://example.mtls.googleapis.com/v1/projects"

# /tmp/adk-ci-check-same-line-mixed.py
VALUES = "https://www.googleapis.com/auth/cloud-platform https://example.googleapis.com/v1/projects"

Command:

CHANGED_FILES="/tmp/adk-ci-check-oauth-scope.py /tmp/adk-ci-check-service-endpoint.py /tmp/adk-ci-check-service-endpoint-with-mtls.py /tmp/adk-ci-check-same-line-mixed.py"
FILES_WITH_ENDPOINTS=$(grep -HEo 'https?://[a-zA-Z0-9.-]+\.googleapis\.com[^"'\''[:space:]]*' $CHANGED_FILES | grep -vE 'https?://www\.googleapis\.com/auth(/|$)' | cut -d: -f1 | sort -u || true)
FILES_MISSING_MTLS=""
if [ -n "$FILES_WITH_ENDPOINTS" ]; then
  FILES_MISSING_MTLS=$(grep -L '\.mtls\.googleapis\.com' $FILES_WITH_ENDPOINTS)
fi
printf 'FILES_WITH_ENDPOINTS:\n%s\n\nFILES_MISSING_MTLS:\n%s\n' "$FILES_WITH_ENDPOINTS" "$FILES_MISSING_MTLS"

Output:

FILES_WITH_ENDPOINTS:
/tmp/adk-ci-check-same-line-mixed.py
/tmp/adk-ci-check-service-endpoint-with-mtls.py
/tmp/adk-ci-check-service-endpoint.py

FILES_MISSING_MTLS:
/tmp/adk-ci-check-same-line-mixed.py
/tmp/adk-ci-check-service-endpoint.py

Manual End-to-End (E2E) Tests:

Not run. This change affects a GitHub Actions workflow check, and local shell verification was used to validate the changed matching behavior.

Checklist

• I have read the CONTRIBUTING.md document.
• I have performed a self-review of my own code.
• I have commented my code, particularly in hard-to-understand areas.
• I have added tests that prove my fix is effective or that my feature works.
• New and existing unit tests pass locally with my changes.
• I have manually tested my changes end-to-end.
• Any dependent changes have been merged and published in downstream modules.

Additional context

This was observed while investigating PR #6201, where the CI check flagged src/google/adk/tools/mcp_tool/mcp_session_manager.py because it contains the OAuth scope https://www.googleapis.com/auth/cloud-platform.

Related prior PR: #5931 attempted to fix the same false positive in the older .github/workflows/check-file-contents.yml workflow, but it was closed without being merged. The check now lives in .github/workflows/continuous-integration.yml.