Background
Cut 3 of the GH Actions budget rebalancing plan (2026-05-27). Builds on PR #230 (scorecard example fix, MERGED) and issue #231 (scorecard daily→weekly fan-out, in pilot).
Estate CodeQL state (audit 2026-05-28)
| Schedule |
Count |
Notes |
Weekly Monday 06:00 UTC ('0 6 * * 1') |
206 |
Canonical |
| Other weekly cadences |
~15 |
Mostly stragglers, low priority |
So unlike scorecard (180 daily) where the cut was schedule-frequency, CodeQL is already on weekly estate-wide. The cut here is a different axis: whether to keep scheduled CodeQL at all, and on which repos.
Budget math
Rough numbers:
Three shapes
Each is a different point on the security-vs-savings curve:
Option A: Drop scheduled CodeQL entirely
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
- schedule:
- - cron: '0 6 * * 1'Savings: ~53.5k Actions-min/year (~100% of scheduled CodeQL).
Risk: A vulnerable dep that lands sits undetected by CodeQL until the next PR-trigger. For many estate repos that's fine (PR cadence high enough). For dormant security-critical repos (e.g. crypto / auth / supply-chain libs) it's a real lag.
When this is right: most repos are doc/template/scaffold/exploration — scheduled CodeQL on them catches near-zero real findings vs the cost.
Option B: Move to monthly
schedule:
- - cron: '0 6 * * 1'
+ - cron: '0 6 1 * *' # Monthly, 1st of month, 06:00 UTC
Savings: ~46k Actions-min/year (~85% of scheduled CodeQL: 12 runs/year vs 52).
Risk: CVE lag bounded to ~30 days for any repo, regardless of PR cadence.
When this is right: middle ground; preserves periodic-floor without weekly cost.
Option C: Allowlist (drop schedule for non-shipping repos)
Keep weekly CodeQL on ~20 shipping/security-sensitive repos (e.g. panll, gossamer, burble, hypatia, verisimdb, boj-server, affinescript, ephapax, typed-wasm, proven, standards, vcl-ut, etc.); drop scheduled CodeQL on the ~186 doc/template/scaffold/exploration repos.
Mechanical shape: an opt-in label topic:codeql-scheduled (or a per-repo file .well-known/codeql-scheduled) gates the schedule block. The canonical CodeQL reusable wrapper template (in standards/.github/workflows/codeql.yml) drops the schedule block by default; shipping repos either keep their per-repo schedule block intact or opt in via the marker.
Savings: ~45.5k Actions-min/year (~85% of scheduled CodeQL: 20 × 52 = 1,040 runs/year vs 206 × 52 = 10,712).
Risk: scheduled CodeQL kept on the repos that materially benefit from it; dropped on the rest.
When this is right: estate has a strong shipping-vs-template split (it does — see .machine_readable/META.a2ml repo classifications), so the allowlist is honest about where the value is.
Comparison table
| Shape |
Savings (min/year) |
Estate-wide CodeQL coverage |
Selection cost |
| A — drop schedule |
~53.5k (100%) |
PR-trigger only on all 206 |
None — single canonical diff |
| B — monthly |
~46k (~85%) |
All 206 monthly |
None — single canonical diff |
| C — allowlist |
~45.5k (~85%) |
Weekly on ~20, PR-trigger on the rest |
Per-repo decision for the ~20 |
Note A's slightly-higher savings come at materially-higher CVE-lag risk; B and C are within rounding error on savings but differ in where the coverage lands.
Recommendation request
Owner to pick:
Execution path (post-decision)
For all three options, the upstream change is to standards/.github/workflows/codeql.yml (the canonical caller template); fan-out then converts the ~206 weekly repos to the chosen pattern. Single-line cron change shape (same as cut 1/2), AM001-class admin-mergeable, can ride the same pilot+sweep approach proven in issue #231.
Related
🤖 Generated with Claude Code
Background
Cut 3 of the GH Actions budget rebalancing plan (2026-05-27). Builds on PR #230 (scorecard example fix, MERGED) and issue #231 (scorecard daily→weekly fan-out, in pilot).
Estate CodeQL state (audit 2026-05-28)
'0 6 * * 1')So unlike scorecard (180 daily) where the cut was schedule-frequency, CodeQL is already on weekly estate-wide. The cut here is a different axis: whether to keep scheduled CodeQL at all, and on which repos.
Budget math
Rough numbers:
Three shapes
Each is a different point on the security-vs-savings curve:
Option A: Drop scheduled CodeQL entirely
on: push: branches: [main, master] pull_request: branches: [main, master] - schedule: - - cron: '0 6 * * 1'Savings: ~53.5k Actions-min/year (~100% of scheduled CodeQL).
Risk: A vulnerable dep that lands sits undetected by CodeQL until the next PR-trigger. For many estate repos that's fine (PR cadence high enough). For dormant security-critical repos (e.g. crypto / auth / supply-chain libs) it's a real lag.
When this is right: most repos are doc/template/scaffold/exploration — scheduled CodeQL on them catches near-zero real findings vs the cost.
Option B: Move to monthly
Savings: ~46k Actions-min/year (~85% of scheduled CodeQL: 12 runs/year vs 52).
Risk: CVE lag bounded to ~30 days for any repo, regardless of PR cadence.
When this is right: middle ground; preserves periodic-floor without weekly cost.
Option C: Allowlist (drop schedule for non-shipping repos)
Keep weekly CodeQL on ~20 shipping/security-sensitive repos (e.g.
panll,gossamer,burble,hypatia,verisimdb,boj-server,affinescript,ephapax,typed-wasm,proven,standards,vcl-ut, etc.); drop scheduled CodeQL on the ~186 doc/template/scaffold/exploration repos.Mechanical shape: an opt-in label
topic:codeql-scheduled(or a per-repo file.well-known/codeql-scheduled) gates the schedule block. The canonical CodeQL reusable wrapper template (instandards/.github/workflows/codeql.yml) drops the schedule block by default; shipping repos either keep their per-repo schedule block intact or opt in via the marker.Savings: ~45.5k Actions-min/year (~85% of scheduled CodeQL: 20 × 52 = 1,040 runs/year vs 206 × 52 = 10,712).
Risk: scheduled CodeQL kept on the repos that materially benefit from it; dropped on the rest.
When this is right: estate has a strong shipping-vs-template split (it does — see
.machine_readable/META.a2mlrepo classifications), so the allowlist is honest about where the value is.Comparison table
Note A's slightly-higher savings come at materially-higher CVE-lag risk; B and C are within rounding error on savings but differ in where the coverage lands.
Recommendation request
Owner to pick:
Execution path (post-decision)
For all three options, the upstream change is to
standards/.github/workflows/codeql.yml(the canonical caller template); fan-out then converts the ~206 weekly repos to the chosen pattern. Single-line cron change shape (same as cut 1/2), AM001-class admin-mergeable, can ride the same pilot+sweep approach proven in issue #231.Related
session_2026_05_27_doomed_ci_pilotfamily of memory notes)🤖 Generated with Claude Code