diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 6ee7fe32..e22dca49 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -4,10 +4,10 @@ name: "CodeQL check"
 
 on:
   workflow_dispatch:
-  push:
+  pull_request:
     branches:
       - main
-  pull_request:
+  push:
     branches:
       - main
   schedule:
@@ -20,26 +20,36 @@ jobs:
   analyze:
     name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
+
     permissions:
       security-events: write
       packages: read
+      actions: read
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
         include:
           - language: actions
             build-mode: none
+            source-root: .
+
     steps:
       - name: Checkout
+        id: checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Initialize CodeQL
+        id: initialize
         uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
+          source-root: ${{ matrix.source-root }}
 
       - name: Perform CodeQL Analysis
+        id: analyze
         uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
-          category: "/language:${{matrix.language}}"
+          category: '/language:${{matrix.language}}'