From 6ae0044e0f1c4da01b8680a243e932301cbd65e9 Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Sat, 23 May 2026 19:21:02 +1000 Subject: [PATCH] ci: move Security cron to weekly Saturday Sydney night MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Was daily at 03:00 UTC = 13:00 AEST = middle of Sydney workday. Combined with the 8h-per-target deep fuzz (PR #33), that's ~128 runner-hours/day saturating the ARC pool during work hours. New schedule: Saturday 11:07 UTC. - AEST (winter): Sat 21:07 Sydney - AEDT (summer): Sat 22:07 Sydney Year-round Saturday night, regardless of DST. PR-time still has strong coverage: - Fast Security Checks (cargo audit, deny, clippy, tests) - Quick Fuzz (120s corpus smoke) - Cargo Vet (since #32 — runs on pull_request) - CodeQL (per push) Off-minute (:07) avoids cron pile-up at :00. `cancel-in-progress` concurrency still applies; with weekly cadence and ~16h runs, no overlap. --- .github/workflows/security.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b6b3c1a..8f5e13f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -6,7 +6,12 @@ on: pull_request: branches: [main] schedule: - - cron: '0 3 * * *' + # Saturday 11:07 UTC = Sat 21:07 AEST / 22:07 AEDT (Sydney night, year-round). + # Weekly cadence: deep fuzz at 8h/target × 16 targets is ~128 runner-hours. + # PR-time coverage (cargo audit/deny, Cargo Vet, Quick Fuzz, CodeQL) catches + # regressions promptly; deep fuzz is for finding bugs, not gating merges. + # Off-minute (:07) avoids the cron pile-up that GitHub schedules at :00. + - cron: '7 11 * * 6' release: types: [published]