diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 43bcbcff..3603a124 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
       - 'release-*'
+    # ignore PRs with only documentation changes
+    paths-ignore:
+      - '**/*.md'
 
 permissions:
   contents: read
@@ -23,6 +26,13 @@ jobs:
   validate:
     uses: "./.github/workflows/lib-validate.yaml"
 
+  codeql:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "./.github/workflows/lib-codeql.yaml"
+
   build:
     needs:
       - trivy