diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6a5d0c5..409ec1a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,6 +9,7 @@ permissions:
   pull-requests: write
   statuses: write
   packages: write
+  security-events: write
 
 jobs:
   release-please:
@@ -28,26 +29,75 @@ jobs:
       # GITHUB_TOKEN-created PRs don't trigger CI workflows, so required
       # status checks never run on the release branch. Since release-please
       # only bumps versions and changelogs (code is already tested on main),
-      # we satisfy the required checks via the commit status API.
-      - name: Set required status checks on release PR
-        if: steps.release.outputs.pr--number
+      # we satisfy the required checks via the commit status API, then
+      # enable auto-merge so the PR merges once checks are satisfied.
+      - name: Auto-satisfy checks and enable auto-merge on release PR
+        if: steps.release.outputs.prs_created == 'true'
         run: |
-          SHA=$(gh pr view "${{ steps.release.outputs.pr--number }}" --json headRefOid --jq '.headRefOid')
+          PR_NUMBER=$(gh pr list --label "autorelease: pending" --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then
+            echo "No pending release PR found"
+            exit 0
+          fi
+          echo "Found release PR #$PR_NUMBER"
+          SHA=$(gh pr view "$PR_NUMBER" --json headRefOid --jq '.headRefOid')
           for check in ci security-status; do
             gh api "repos/${{ github.repository }}/statuses/$SHA" \
               -f state=success \
               -f context="$check" \
               -f description="Release PR — code already tested on main"
           done
+          gh pr merge "$PR_NUMBER" --squash --auto
         env:
           GH_TOKEN: ${{ github.token }}
 
-      - name: Enable auto-merge on release PR
-        if: steps.release.outputs.pr--number
-        run: gh pr merge "${{ steps.release.outputs.pr--number }}" --squash --auto
+  # Run CodeQL on the release PR branch to satisfy the code scanning ruleset.
+  # GITHUB_TOKEN-created PRs don't trigger other workflows, so we run CodeQL
+  # here to ensure results are uploaded for the release PR commit.
+  codeql-release-pr:
+    needs: release-please
+    if: needs.release-please.outputs.release_created != 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Find release PR
+        id: find-pr
+        run: |
+          PR_NUMBER=$(gh pr list --label "autorelease: pending" --json number --jq '.[0].number')
+          if [ -z "$PR_NUMBER" ]; then
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          REF=$(gh pr view "$PR_NUMBER" --json headRefName --jq '.headRefName')
+          echo "ref=$REF" >> "$GITHUB_OUTPUT"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
         env:
           GH_TOKEN: ${{ github.token }}
 
+      - name: Checkout release PR branch
+        if: steps.find-pr.outputs.skip != 'true'
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ steps.find-pr.outputs.ref }}
+
+      - name: Initialize CodeQL
+        if: steps.find-pr.outputs.skip != 'true'
+        uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+          config-file: .github/codeql/codeql-config.yml
+          queries: security-extended
+
+      - name: Autobuild
+        if: steps.find-pr.outputs.skip != 'true'
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL analysis
+        if: steps.find-pr.outputs.skip != 'true'
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: '/language:javascript-typescript'
+
   # Build and publish Docker image when a release is created.
   # This runs in the same workflow to avoid the GITHUB_TOKEN limitation
   # where release events created by GITHUB_TOKEN don't trigger other workflows.