Jebel-Quant · tschm · May 25, 2026 · May 24, 2026 · May 24, 2026 · May 24, 2026
diff --git a/.github/workflows/rhiza_codeql.yml b/.github/workflows/rhiza_codeql.yml
@@ -0,0 +1,129 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+# ******** IMPORTANT: GitHub Advanced Security Required ********
+# CodeQL is FREE for public repositories, but requires GitHub Advanced Security
+# (part of GitHub Enterprise) for private repositories.
+#
+# This workflow automatically:
+# - Runs on public repositories
+# - Skips on private repositories (unless Advanced Security is available)
+#
+# To control this behavior, set the CODEQL_ENABLED repository variable:
+# - Set to 'true' to force enable (if you have Advanced Security on private repos)
+# - Set to 'false' to disable entirely
+# - Leave unset for automatic behavior (recommended)
+#
+# To learn more about customizing this workflow, see the comments below
+#
+name: "(RHIZA) CODEQL"
+
+on:
+  push:
+    branches: [ "main", "master" ]
+  pull_request:
+    branches: [ "main", "master" ]
+  schedule:
+    - cron: '27 1 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    # CodeQL requires GitHub Advanced Security (part of GitHub Enterprise).
+    # For users without Enterprise license:
+    # - Public repositories: CodeQL is available for free
+    # - Private repositories: Requires GitHub Advanced Security
+    # To disable this workflow, set CODEQL_ENABLED repository variable to 'false'
+    # To enable this workflow for private repos with Advanced Security, set CODEQL_ENABLED to 'true'
+    if: |
+      vars.CODEQL_ENABLED == 'true' ||
+      (vars.CODEQL_ENABLED != 'false' && github.event.repository.visibility == 'public')
+    permissions:
+      # required for all workflows
+      security-events: write
+
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - language: actions
+          build-mode: none
+        - language: python
+          build-mode: none
+        # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v6.0.2
+
+    - name: Configure git auth for private packages
+      uses: ./.github/actions/configure-git-auth
+      with:
+        token: ${{ secrets.GH_PAT }}
+    # Add any setup steps before running the `github/codeql-action/init` action.
+    # This includes steps like installing compilers or runtimes (`actions/setup-node`
+    # or others). This is typically only required for manual builds.
+    # - name: Setup runtime (example)
+    #   uses: actions/setup-example@v1
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v4.36.0
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+    - name: Run manual build steps
+      if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v4.36.0
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/rhiza_release.yml b/.github/workflows/rhiza_release.yml
@@ -369,7 +369,7 @@ jobs:
 
       - name: Login to Container Registry
         if: steps.check_publish.outputs.should_publish == 'true'
-        uses: docker/login-action@v4.1.0
+        uses: docker/login-action@v4.2.0
         with:
           registry: ${{ steps.registry.outputs.registry }}
           username: ${{ github.repository_owner }}

diff --git a/.rhiza/rhiza.mk b/.rhiza/rhiza.mk
@@ -51,6 +51,11 @@ export PYTHON_VERSION
 RHIZA_VERSION ?= $(shell cat .rhiza/.rhiza-version 2>/dev/null || echo "0.10.2")
 export RHIZA_VERSION
 
+# Default sync schedule (cron expression for GitHub Actions sync workflow)
+# Override in your root Makefile to customise when sync runs.
+# Example: RHIZA_SYNC_SCHEDULE = 0 9 * * 1-5  (weekdays at 9 AM UTC)
+RHIZA_SYNC_SCHEDULE ?= 0 0 * * 1
+
 export UV_NO_MODIFY_PATH := 1
 export UV_VENV_CLEAR := 1
 
@@ -77,7 +82,7 @@ endef
 export RHIZA_LOGO
 
 # Declare phony targets for Rhiza Core
-.PHONY: print-logo sync sync-experimental materialize validate readme pre-sync post-sync pre-validate post-validate
+.PHONY: print-logo sync sync-experimental materialize validate readme pre-sync post-sync pre-validate post-validate _apply-sync-schedule
 
 # Hook targets (double-colon rules allow multiple definitions)
 # Note: pre-install/post-install are defined in bootstrap.mk
@@ -99,9 +104,16 @@ sync: pre-sync ## sync with template repository as defined in .rhiza/template.ym
 	else \
 		$(MAKE) install-uv; \
 		${UVX_BIN} "rhiza==$(RHIZA_VERSION)" sync .; \
+		$(MAKE) _apply-sync-schedule; \
 	fi
 	@$(MAKE) post-sync
 
+_apply-sync-schedule: ## (internal) apply RHIZA_SYNC_SCHEDULE override to GitHub Actions sync workflow
+	@if [ "$(RHIZA_SYNC_SCHEDULE)" != "0 0 * * 1" ] && [ -f .github/workflows/rhiza_sync.yml ]; then \
+		sed -i.bak "s|cron: '[^']*'|cron: '$(RHIZA_SYNC_SCHEDULE)'|" .github/workflows/rhiza_sync.yml && rm -f .github/workflows/rhiza_sync.yml.bak; \
+		printf "${BLUE}[INFO] Applied custom sync schedule: $(RHIZA_SYNC_SCHEDULE)${RESET}\n"; \
+	fi
+
 materialize: ## [DEPRECATED] use 'make sync' instead — materialize --force is now sync
 	@printf "${YELLOW}[WARN] 'make materialize' is deprecated and will be removed in a future release.${RESET}\n"
 	@printf "${YELLOW}[WARN] Please use 'make sync' instead (e.g. 'materialize --force' is now 'make sync').${RESET}\n"

diff --git a/.rhiza/template.lock b/.rhiza/template.lock
@@ -1,7 +1,7 @@
-sha: d20dd62adfdd9bfcd918fac200f5d37ed237c604
+sha: 38a5a25d415f12dfd7fa8cc81e985da9907dc94e
 repo: jebel-quant/rhiza
 host: github
-ref: v0.10.9
+ref: v0.11.0
 include: []
 exclude: []
 templates:
@@ -82,6 +82,7 @@ files:
 - .rhiza/tests/sync/test_docstrings.py
 - .rhiza/tests/sync/test_readme_validation.py
 - .rhiza/tests/sync/test_rhiza_version.py
+- .rhiza/tests/sync/test_sync_schedule.py
 - .rhiza/tests/test_utils.py
 - .rhiza/tests/utils/test_git_repo_fixture.py
 - .rhiza/utils/pip_audit_policy.py
@@ -98,5 +99,5 @@ files:
 - ruff.toml
 profiles:
 - github-project
-synced_at: '2026-05-24T09:00:58Z'
+synced_at: '2026-05-24T13:23:32Z'
 strategy: merge
diff --git a/.rhiza/template.yml b/.rhiza/template.yml
@@ -1,5 +1,5 @@
 repository: "jebel-quant/rhiza"
-ref: "v0.10.9"
+ref: "v0.11.0"
 
 profiles:
   - github-project

diff --git a/.rhiza/tests/sync/test_sync_schedule.py b/.rhiza/tests/sync/test_sync_schedule.py
@@ -0,0 +1,128 @@
+"""Tests for the RHIZA_SYNC_SCHEDULE override mechanism.
+
+These tests validate that users can override the default sync schedule
+(cron expression) used in the GitHub Actions sync workflow, and that
+the override is applied correctly during `make sync`.
+
+Security Notes:
+- S101 (assert usage): Asserts are used in pytest tests to validate conditions
+- S603/S607 (subprocess usage): Any subprocess calls are for testing sync targets
+  in isolated environments with controlled inputs
+- Test code operates in a controlled environment with trusted inputs
+"""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from sync.conftest import run_make, strip_ansi
+
+
+class TestSyncScheduleVariable:
+    """Tests for the RHIZA_SYNC_SCHEDULE Makefile variable."""
+
+    def test_default_sync_schedule_value(self, logger):
+        """RHIZA_SYNC_SCHEDULE should default to '0 0 * * 1' (weekly Monday)."""
+        proc = run_make(logger, ["print-RHIZA_SYNC_SCHEDULE"], dry_run=False)
+        out = strip_ansi(proc.stdout)
+        assert "Value of RHIZA_SYNC_SCHEDULE:" in out
+        assert "0 0 * * 1" in out
+
+    def test_sync_schedule_overridable_via_env(self, logger, tmp_path: Path):
+        """RHIZA_SYNC_SCHEDULE should be overridable via environment variable."""
+        import os
+
+        env = os.environ.copy()
+        env["RHIZA_SYNC_SCHEDULE"] = "0 9 * * 1-5"
+
+        proc = run_make(logger, ["print-RHIZA_SYNC_SCHEDULE"], dry_run=False, env=env)
+        out = strip_ansi(proc.stdout)
+        assert "0 9 * * 1-5" in out
+
+    def test_sync_schedule_overridable_via_makefile(self, logger, tmp_path: Path):
+        """RHIZA_SYNC_SCHEDULE should be overridable in root Makefile."""
+        makefile = tmp_path / "Makefile"
+        original = makefile.read_text()
+        new_content = "RHIZA_SYNC_SCHEDULE = 0 6 * * *\n\n" + original
+        makefile.write_text(new_content)
+
+        proc = run_make(logger, ["print-RHIZA_SYNC_SCHEDULE"], dry_run=False)
+        out = strip_ansi(proc.stdout)
+        assert "0 6 * * *" in out
+
+
+class TestApplySyncSchedule:
+    """Tests for the _apply-sync-schedule target."""
+
+    def test_apply_sync_schedule_skips_when_default(self, logger, tmp_path: Path):
+        """_apply-sync-schedule should not modify files when using default schedule."""
+        # Create a mock workflow file matching the actual rhiza_sync.yml format
+        workflow_dir = tmp_path / ".github" / "workflows"
+        workflow_dir.mkdir(parents=True)
+        workflow_file = workflow_dir / "rhiza_sync.yml"
+        original_content = "on:\n  schedule:\n    - cron: '0 0 * * 1'  # Weekly on Monday\n"
+        workflow_file.write_text(original_content)
+
+        proc = run_make(logger, ["_apply-sync-schedule"], dry_run=False)
+        assert proc.returncode == 0
+
+        # File should remain unchanged
+        assert workflow_file.read_text() == original_content
+
+    def test_apply_sync_schedule_patches_workflow(self, logger, tmp_path: Path):
+        """_apply-sync-schedule should patch workflow when schedule is overridden."""
+        # Create a mock workflow file matching the actual rhiza_sync.yml format
+        workflow_dir = tmp_path / ".github" / "workflows"
+        workflow_dir.mkdir(parents=True)
+        workflow_file = workflow_dir / "rhiza_sync.yml"
+        workflow_file.write_text("on:\n  schedule:\n    - cron: '0 0 * * 1'  # Weekly on Monday\n")
+
+        # Override the schedule via Makefile
+        makefile = tmp_path / "Makefile"
+        original = makefile.read_text()
+        new_content = "RHIZA_SYNC_SCHEDULE = 0 9 * * 1-5\n\n" + original
+        makefile.write_text(new_content)
+
+        proc = run_make(logger, ["_apply-sync-schedule"], dry_run=False)
+        assert proc.returncode == 0
+
+        # File should be patched
+        patched = workflow_file.read_text()
+        assert "0 9 * * 1-5" in patched
+        assert "0 0 * * 1" not in patched
+
+    def test_apply_sync_schedule_handles_missing_workflow(self, logger, tmp_path: Path):
+        """_apply-sync-schedule should succeed even if workflow file is missing."""
+        # Override the schedule but don't create workflow file
+        makefile = tmp_path / "Makefile"
+        original = makefile.read_text()
+        new_content = "RHIZA_SYNC_SCHEDULE = 0 6 * * *\n\n" + original
+        makefile.write_text(new_content)
+
+        proc = run_make(logger, ["_apply-sync-schedule"], dry_run=False)
+        assert proc.returncode == 0
+
+    def test_apply_sync_schedule_prints_info(self, logger, tmp_path: Path):
+        """_apply-sync-schedule should print info message when patching."""
+        # Create a mock workflow file matching the actual rhiza_sync.yml format
+        workflow_dir = tmp_path / ".github" / "workflows"
+        workflow_dir.mkdir(parents=True)
+        workflow_file = workflow_dir / "rhiza_sync.yml"
+        workflow_file.write_text("on:\n  schedule:\n    - cron: '0 0 * * 1'\n")
+
+        # Override the schedule
+        makefile = tmp_path / "Makefile"
+        original = makefile.read_text()
+        new_content = "RHIZA_SYNC_SCHEDULE = 0 12 * * 0\n\n" + original
+        makefile.write_text(new_content)
+
+        proc = run_make(logger, ["_apply-sync-schedule"], dry_run=False)
+        out = strip_ansi(proc.stdout)
+        assert "Applied custom sync schedule" in out
+        assert "0 12 * * 0" in out
+
+    def test_sync_target_calls_apply_schedule(self, logger):
+        """The sync target should include _apply-sync-schedule in dry-run output."""
+        proc = run_make(logger, ["sync"])
+        out = proc.stdout
+        assert "_apply-sync-schedule" in out