From c75450282afc9e72a925b4415ed7e9a604ab3b84 Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sat, 30 May 2026 14:43:55 +0100
Subject: [PATCH] =?UTF-8?q?ci(codeql):=20canonical=20cron=20weekly?=
 =?UTF-8?q?=E2=86=92monthly=20(cut=203,=20standards#233=20Option=20B)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Owner-decision (2026-05-30) selected Option B from standards#233:
move scheduled CodeQL from weekly (Mon 06:00 UTC) to monthly (1st 06:00 UTC).

## Why B (vs A drop-schedule / C allowlist)

- ~85% savings (~46k Actions-min/yr) without an estate-wide stratification
  exercise (avoids C's per-repo decision cost and A's worst-case CVE-lag).
- Bounded 30-day CVE-detection floor for every repo, regardless of activity.
- Monthly cadence aligns with the CVE→CodeQL-query propagation cycle, so
  practical detection delta vs weekly is small.
- Single mechanical fan-out — same shape as cuts 1+2 (#230, #231).

## Scope

This PR changes ONLY the canonical caller template here. The estate-wide
sweep (~206 repos on the weekly cadence) is tracked separately; per-repo
PRs will land staggered to respect GitHub secondary rate-limit.

PR-trigger runs (push + pull_request) are kept regardless of this cut.
The schedule-block change is orthogonal to per-PR coverage.

Refs hyperpolymath/standards#233

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/codeql.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c475cafa..c6e8eff2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -7,7 +7,12 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    # Estate cut 3 (standards#233): weekly → monthly. 1st of each month
+    # at 06:00 UTC. Owner-decision Option B (2026-05-30): ~85% savings
+    # (~46k Actions-min/yr) with bounded 30-day CVE-detection floor.
+    # PR-trigger runs (push + pull_request) are kept regardless — this
+    # cut only changes the scheduled-baseline cadence.
+    - cron: '0 6 1 * *'
 
 # Estate guardrail: cancel superseded runs so re-pushes / rebased PR
 # updates do not pile up queued runs against the shared account-wide