cure53 · cure53 · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026
@@ -7,11 +7,12 @@ name: Scorecard supply-chain security
 on:
   # For the Branch-Protection check; only the default branch is supported.
   branch_protection_rule:
-  # Keeps the Maintained check fresh and re-evaluates after CodeQL has settled.
+  # Keeps the Maintained check fresh and re-evaluates after CodeQL has settled. Weekly is enough:
+  # the score signals do not move day to day, and Friday lands just after the Thursday CodeQL run.
   schedule:
-    - cron: '24 17 * * *'
+    - cron: '24 17 * * 5'
   # Lets a maintainer trigger the first run (and re-runs) by hand from the Actions
-  # tab, instead of waiting for the daily cron - useful to publish the first report.
+  # tab, instead of waiting for the weekly cron - useful to publish the first report.
   workflow_dispatch:
   # NOTE: no 'push' trigger on purpose - running at merge time races the CodeQL
   # scan of the just-merged commit and makes the SAST check read as unchecked.

@@ -1,4 +1,5 @@
 node_modules/
+dist/fortify.cov.*
 coverage/
 .nyc_output/
 *.log