Background
Spun out of #288. The cut-3 main sweep covers ~118 repos / 220 files on the canonical weekly cron '0 6 * * 1'. The 2026-05-31 audit also found 86 codeql.yml files across 30 repos on non-canonical weekly cadences — these are out of scope for #288 (which is strictly '0 6 * * 1' → '0 6 1 * *') but worth a follow-up sweep for consistency + savings.
Audit (2026-05-31)
Long-tail cadences and their file counts:
| Cron |
Files |
Note |
42 20 * * 0 (Sunday 20:42) |
33 |
GitHub-default CodeQL setup wizard cron |
16 7 * * 1 (Monday 07:16) |
12 |
Likely a prior scaffold variant |
0 0 * * 1 (Monday 00:00) |
5 |
|
0 6 * * * (daily 06:00) |
3 |
Daily — much higher cost |
37 13 * * 0 (Sunday 13:37) |
3 |
|
36 15 * * 6 (Saturday 15:36) |
3 |
|
19 20 * * * (daily 20:19) |
1 |
Daily |
0 0 * * * (daily midnight) |
1 |
Daily |
| 21 other singleton/pair cadences |
~25 |
Various ad-hoc |
Full list in /tmp/codeql-audit/classified-merged.tsv (sweep machine, 2026-05-31).
Mechanical change per file
Same shape as #288:
schedule:
- - cron: '<existing weekly/daily cron>'
+ - cron: '0 6 1 * *' # monthly 1st 06:00 UTC
PR-trigger runs (push + pull_request) unchanged.
Why follow-up not bundled into #288
Estimated savings
If all 86 files converted to monthly:
- 5 daily files × 365 runs → 12 = ~1,765 fewer runs/yr
- ~78 weekly files × 52 → 12 = ~3,120 fewer runs/yr
- Total ~4,885 fewer scheduled CodeQL runs/yr × ~5min =
24,425 min/yr ($200/yr equivalent)
(Smaller than #288's ~46k min/yr because the file count is smaller, but the per-file savings on the daily ones is much higher.)
Sequencing
Gate on #288 main sweep landing (avoid PR-create rate-limit collision):
Cross-references
Acceptance
- 86 files converted to monthly (or documented exception for any kept on a different cadence)
- Estate-wide audit shows only
'0 6 1 * *' or documented exception
Background
Spun out of #288. The cut-3 main sweep covers ~118 repos / 220 files on the canonical weekly cron
'0 6 * * 1'. The 2026-05-31 audit also found 86 codeql.yml files across 30 repos on non-canonical weekly cadences — these are out of scope for #288 (which is strictly'0 6 * * 1'→'0 6 1 * *') but worth a follow-up sweep for consistency + savings.Audit (2026-05-31)
Long-tail cadences and their file counts:
42 20 * * 0(Sunday 20:42)16 7 * * 1(Monday 07:16)0 0 * * 1(Monday 00:00)0 6 * * *(daily 06:00)37 13 * * 0(Sunday 13:37)36 15 * * 6(Saturday 15:36)19 20 * * *(daily 20:19)0 0 * * *(daily midnight)Full list in
/tmp/codeql-audit/classified-merged.tsv(sweep machine, 2026-05-31).Mechanical change per file
Same shape as
#288:PR-trigger runs (
push+pull_request) unchanged.Why follow-up not bundled into #288
'0 6 * * 1'only). Bundling expands scope and complicates closure.Estimated savings
If all 86 files converted to monthly:
24,425 min/yr ($200/yr equivalent)(Smaller than #288's ~46k min/yr because the file count is smaller, but the per-file savings on the daily ones is much higher.)
Sequencing
Gate on #288 main sweep landing (avoid PR-create rate-limit collision):
Cross-references
/tmp/codeql-audit/classified-merged.tsv(sweep machine 2026-05-31)Acceptance
'0 6 1 * *'or documented exception