ci: move Security cron to weekly Saturday Sydney night

[27Bslash6]

Summary

The Security workflow was firing daily at 0 3 * * * UTC = 13:00 Sydney = middle of the maintainer's workday. With PR #33's 8h-per-target deep fuzz, that means ~128 runner-hours/day saturating ARC during work hours.

Moves to weekly Saturday 11:07 UTC:

• AEST (winter): Sat 21:07 Sydney
• AEDT (summer): Sat 22:07 Sydney

Year-round Saturday night, regardless of DST flip.

Why weekly is enough

For a stable crypto crate, deep fuzz is for finding bugs, not gating merges. PR-time coverage is already strong:

Check	Runs on
Fast Security Checks (cargo audit, deny, clippy, tests)	push + PR
Quick Fuzz (120s corpus smoke)	push + PR
Cargo Vet (supply chain)	PR + schedule (since #32)
CodeQL	push + weekly

Daily 8h fuzz buys diminishing returns — most regressions land via PRs and get caught by the PR-time gates. Weekly deep fuzz preserves the value (finding deep state-explosion bugs over long runs) while cutting runner cost ~7×.

Off-minute

:07 rather than :00 — GitHub Actions' shared cron scheduler delays jobs that land on :00 due to API pile-ups. Off-minute is a free reliability win.

Test plan

• PR-time CI exercises everything except Cargo Vet (Supply Chain) Deep Fuzz and Kani (both schedule-only — by design)
• First run: this Saturday 11:07 UTC (2026-05-30)

Summary by CodeRabbit

• Chores
  • Updated the automated security scanning schedule from daily to weekly cadence, running every Saturday to optimize resource allocation while maintaining security coverage.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f41fe4af-8334-45b0-b0ba-e928147ba804

📥 Commits

Reviewing files that changed from the base of the PR and between b196e50 and 6ae0044.

📒 Files selected for processing (1)

• .github/workflows/security.yml

---

📝 Walkthrough

Walkthrough

The security workflow scheduling was adjusted from daily execution at 03:00 UTC to weekly execution at 11:07 UTC on Saturdays. Updated comments explain the new cadence and off-minute timing choice to distribute runner-hour consumption and avoid cron pile-up.

Changes

Security Workflow Schedule

Layer / File(s)	Summary
Weekly security workflow scheduling .github/workflows/security.yml	Cron schedule updated from daily at 03:00 UTC to weekly at 11:07 UTC on Saturdays; comments adjusted to document timing rationale and runner-hour budgeting for the deep-fuzz security check.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• cachekit-io/cachekit-core#33: Extends deep-fuzz job and step timeouts to support 8 hours per target, which complements this PR's weekly scheduling adjustment for the same security workflow.

Poem

🐰 Tick-tock, the Saturday bell chimes,
No more daily alarms at odd times,
Once a week, at 7 past 11 we run,
Security fuzzing—efficient and fun! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: moving the Security cron schedule from daily to weekly on Saturday at Sydney night time, which matches the primary modification in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/security-cron-weekly

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}