From 5082ce7952f59aaf326c8b654cbf9790666cec4d Mon Sep 17 00:00:00 2001
From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com>
Date: Sun, 31 May 2026 12:11:12 +0100
Subject: [PATCH] =?UTF-8?q?ci(codeql):=20cron=20weekly=E2=86=92monthly=20(?=
 =?UTF-8?q?cut=203,=20standards#233=20Option=20B)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per owner-decision Option B on hyperpolymath/standards#233 (2026-05-30):
move scheduled CodeQL from weekly (`'0 6 * * 1'`) to monthly
(`'0 6 1 * *'`). Same shape as canonical caller-template change
in hyperpolymath/standards#286.

## Why

- ~85% Actions-minute savings on scheduled CodeQL (12 runs/yr vs 52).
- Bounded 30-day CVE-detection floor.
- PR-trigger runs (push + pull_request) unchanged — every PR still gets
  CodeQL coverage.

## Sweep

Part of estate-wide sweep tracked at hyperpolymath/standards#288.

Refs hyperpolymath/standards#233
Refs hyperpolymath/standards#288
Refs hyperpolymath/standards#286

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 asdf-augmenters/asdf-control-tower/.github/workflows/codeql.yml | 2 +-
 .../plugins/casket-ssg/.github/workflows/codeql.yml             | 2 +-
 .../plugins/doctl/.github/workflows/codeql.yml                  | 2 +-
 .../plugins/hashicorp/.github/workflows/codeql.yml              | 2 +-
 .../plugins/orchid/.github/workflows/codeql.yml                 | 2 +-
 asdf-casket-ssg-plugin/.github/workflows/codeql.yml             | 2 +-
 asdf-control-tower/.github/workflows/codeql.yml                 | 2 +-
 asdf-gitleaks-plugin/.github/workflows/codeql.yml               | 2 +-
 .../plugins/casket-ssg/.github/workflows/codeql.yml             | 2 +-
 .../plugins/dhall/.github/workflows/codeql.yml                  | 2 +-
 .../plugins/hashicorp/.github/workflows/codeql.yml              | 2 +-
 .../plugins/syft/.github/workflows/codeql.yml                   | 2 +-
 12 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/asdf-augmenters/asdf-control-tower/.github/workflows/codeql.yml b/asdf-augmenters/asdf-control-tower/.github/workflows/codeql.yml
index 7760729a..82d80de5 100644
--- a/asdf-augmenters/asdf-control-tower/.github/workflows/codeql.yml
+++ b/asdf-augmenters/asdf-control-tower/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-augmenters/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml b/asdf-augmenters/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml
index 8af81f66..6f08bcdc 100644
--- a/asdf-augmenters/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml
+++ b/asdf-augmenters/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-augmenters/asdf-plugin-collection/plugins/doctl/.github/workflows/codeql.yml b/asdf-augmenters/asdf-plugin-collection/plugins/doctl/.github/workflows/codeql.yml
index b317db1b..ac2074ea 100644
--- a/asdf-augmenters/asdf-plugin-collection/plugins/doctl/.github/workflows/codeql.yml
+++ b/asdf-augmenters/asdf-plugin-collection/plugins/doctl/.github/workflows/codeql.yml
@@ -7,7 +7,7 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    - cron: '0 6 1 * *'
 
 permissions: read-all
 
diff --git a/asdf-augmenters/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml b/asdf-augmenters/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml
index 8af81f66..6f08bcdc 100644
--- a/asdf-augmenters/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml
+++ b/asdf-augmenters/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-augmenters/asdf-plugin-collection/plugins/orchid/.github/workflows/codeql.yml b/asdf-augmenters/asdf-plugin-collection/plugins/orchid/.github/workflows/codeql.yml
index b317db1b..ac2074ea 100644
--- a/asdf-augmenters/asdf-plugin-collection/plugins/orchid/.github/workflows/codeql.yml
+++ b/asdf-augmenters/asdf-plugin-collection/plugins/orchid/.github/workflows/codeql.yml
@@ -7,7 +7,7 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    - cron: '0 6 1 * *'
 
 permissions: read-all
 
diff --git a/asdf-casket-ssg-plugin/.github/workflows/codeql.yml b/asdf-casket-ssg-plugin/.github/workflows/codeql.yml
index 8af81f66..6f08bcdc 100644
--- a/asdf-casket-ssg-plugin/.github/workflows/codeql.yml
+++ b/asdf-casket-ssg-plugin/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-control-tower/.github/workflows/codeql.yml b/asdf-control-tower/.github/workflows/codeql.yml
index 7760729a..82d80de5 100644
--- a/asdf-control-tower/.github/workflows/codeql.yml
+++ b/asdf-control-tower/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-gitleaks-plugin/.github/workflows/codeql.yml b/asdf-gitleaks-plugin/.github/workflows/codeql.yml
index b317db1b..ac2074ea 100644
--- a/asdf-gitleaks-plugin/.github/workflows/codeql.yml
+++ b/asdf-gitleaks-plugin/.github/workflows/codeql.yml
@@ -7,7 +7,7 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    - cron: '0 6 1 * *'
 
 permissions: read-all
 
diff --git a/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml b/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml
index 8af81f66..6f08bcdc 100644
--- a/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml
+++ b/asdf-plugin-collection/plugins/casket-ssg/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-plugin-collection/plugins/dhall/.github/workflows/codeql.yml b/asdf-plugin-collection/plugins/dhall/.github/workflows/codeql.yml
index b317db1b..ac2074ea 100644
--- a/asdf-plugin-collection/plugins/dhall/.github/workflows/codeql.yml
+++ b/asdf-plugin-collection/plugins/dhall/.github/workflows/codeql.yml
@@ -7,7 +7,7 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    - cron: '0 6 1 * *'
 
 permissions: read-all
 
diff --git a/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml b/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml
index 8af81f66..6f08bcdc 100644
--- a/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml
+++ b/asdf-plugin-collection/plugins/hashicorp/.github/workflows/codeql.yml
@@ -6,7 +6,7 @@ on:
   pull_request:
     branches: [main]
   schedule:
-    - cron: "0 6 * * 1"
+    - cron: "0 6 1 * *"
 permissions: read-all
 jobs:
   analyze:
diff --git a/asdf-plugin-collection/plugins/syft/.github/workflows/codeql.yml b/asdf-plugin-collection/plugins/syft/.github/workflows/codeql.yml
index b317db1b..ac2074ea 100644
--- a/asdf-plugin-collection/plugins/syft/.github/workflows/codeql.yml
+++ b/asdf-plugin-collection/plugins/syft/.github/workflows/codeql.yml
@@ -7,7 +7,7 @@ on:
   pull_request:
     branches: [main, master]
   schedule:
-    - cron: '0 6 * * 1'
+    - cron: '0 6 1 * *'
 
 permissions: read-all