[campaign] Estate CodeQL weekly→monthly sweep (cut 3, standards#233 Option B — ~206 repos)

[hyperpolymath]

Campaign overview

Per-repo fan-out of the canonical CodeQL cron change shipped in standards#286 (cut 3, owner-decision Option B 2026-05-30): convert ~206 repos from weekly ('0 6 * * 1') to monthly ('0 6 1 * *') CodeQL scheduled runs.

Why

• 85% savings (~46k Actions-min/yr) without estate-wide stratification.
• Bounded 30-day CVE-detection floor for every repo.
• Single mechanical fan-out — same shape as cuts 1+2 (chore(scorecard-reusable): align example with canonical weekly schedule + document drift #230, GH Actions budget: convert 180 estate repos from daily to weekly scorecard schedule (cut 2 fan-out) #231).

Scope (audit 2026-05-28 + 2026-05-30)

Schedule	Count	Action
Weekly Monday 06:00 UTC ('0 6 * * 1')	~206	Convert to monthly via this sweep
Other weekly cadences	~15	Lower-priority follow-up
Already inline / non-reusable	varies	Out of scope for this sweep

Mechanical change per repo

 schedule:
-  - cron: '0 6 * * 1'   # weekly Monday 06:00 UTC
+  - cron: '0 6 1 * *'   # monthly 1st 06:00 UTC

PR-trigger runs (push + pull_request) unchanged — every PR still gets CodeQL.

Constraints

• GitHub PR-create secondary rate-limit: ~5 PRs / 30min (operator memory).
• Estimated total: 206 PRs × 6min stagger = ~21 hours of background sweep time.
• Multi-session execution; resume by re-auditing repos still on '0 6 * * 1'.
• Skip echo-types/ (owner hands-off).
• Per-PR ownership gate: each repo must satisfy owner=hyperpolymath, isFork=false, parent=null.

Sequencing

• ✅ Canonical change: standards#286 (OPEN, auto-merge armed 2026-05-30)
• ⏳ Sweep execution: gated on canonical merging + the scorecard sweep standards#282 completing (to avoid rate-limit collision)
• ⏳ Long-tail (~15 repos on non-canonical weekly cadences): follow-up after main sweep

Acceptance

• 206 PRs land (or skipped where no-op)
• Estate-wide CodeQL audit shows monthly cron everywhere or documented exception
• 6-week budget review confirms ~46k min/yr savings landed

Cross-references

• Canonical change: hyperpolymath/standards#286
• Decision: hyperpolymath/standards#233 (Option B selected 2026-05-30)
• Prior cuts: standards#230 (cut 1), standards#231 (cut 2)
• Memory: session_2026_05_28_gh_actions_budget_cuts_1_2_3.md

[hyperpolymath]

cicd triage 2026-05-30: campaign progress check. Owner-decision (Option B) executed via #286 + #233; cross-estate fan-out remains the open work (~206 repos). Sweep paused on GH Actions budget — memory: project_estate_fake_action_sha_punch_list_2026_05_30 notes round-2 PR-creation deferred for the same reason. Resume next billing cycle. Leaving open with cicd label.