diff --git a/.github/workflows/README.md b/.github/workflows/README.md
index 215994d46347..390e7091342c 100644
--- a/.github/workflows/README.md
+++ b/.github/workflows/README.md
@@ -30,21 +30,21 @@ File: `ci-containers-ghcr.yml`
 
 # CI
 
-Main continuous integration job. Builds CCF for all target platforms, runs unit, end to end and partition tests for SGX and Virtual. Run on every commit, including PRs from forks, gates merging.
+Main continuous integration job. Builds CCF for all target platforms, runs unit, end to end and partition tests for SGX and Virtual. Run on every commit, including PRs from forks, gates merging. Also runs once a week, regardless of commits.
 
 File: `ci.yml`
 3rd party dependencies: None
 
 # CodeQL analysis
 
-Builds CCF with CodeQL, and runs the security-extended checks. Triggered on every commit on main, plus PRs that affect ".github/workflows/codeql-analysis.yml".
+Builds CCF with CodeQL, and runs the security-extended checks. Triggered on PRs that affect ".github/workflows/codeql-analysis.yml", and once a week on main.
 
 File: `codeql-analysis.yml`
 3rd party dependencies: None
 
 # Release
 
-Produces CCF release artefacts from 5.0.0-rc0 onwards, for all languages and platforms. Triggered on tag matching "ccf-5.\*". The output of the job is a draft release, which needs to be published manually. Publishing triggers the downstream jobs listed below.
+Produces CCF release artefacts from 5.0.0-rc0 onwards, for all languages and platforms. Triggered on tags matching "ccf-5.\*". The output of the job is a draft release, which needs to be published manually. Publishing triggers the downstream jobs listed below.
 
 File: `release.yml`
 3rd party dependencies: None
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b8ae4aba3bf2..267b3db04da3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,12 +1,16 @@
 name: CI
 
 on:
-  push:
-    branches: [main]
+  schedule:
+    - cron: "0 0 * * 0"
   pull_request:
   workflow_dispatch:
   merge_group:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
   actions: read
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b3ecc8a9f747..ce89186d55c9 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -6,14 +6,17 @@
 name: "CodeQL"
 
 on:
-  push:
-    branches: [main]
+  schedule:
+    - cron: "0 0 * * 0"
   pull_request:
-    branches: [main]
     paths:
       - ".github/workflows/codeql-analysis.yml"
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions: read-all
 
 jobs:
diff --git a/.github/workflows/tlaplus.yml b/.github/workflows/tlaplus.yml
index f561f76a7e07..de42cf1dd728 100644
--- a/.github/workflows/tlaplus.yml
+++ b/.github/workflows/tlaplus.yml
@@ -1,13 +1,17 @@
 name: "TLA+ Spec Verification"
 
 on:
-  push:
-    branches: [main]
+  schedule:
+    - cron: "0 0 * * 0"
   pull_request:
     paths:
       - "tla/**"
   workflow_dispatch:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 permissions:
   actions: read
   contents: read