diff --git a/.github/workflows/Codeql.yml b/.github/workflows/Codeql.yml
new file mode 100644
index 00000000000..ac1a6c7cf44
--- /dev/null
+++ b/.github/workflows/Codeql.yml
@@ -0,0 +1,54 @@
+name: "CodeQL Python Security Scan (Top-N + PR Comment)"
+
+on:
+  pull_request:
+    branches: [ main, master ]
+    types: [opened, synchronize, reopened]
+  push:
+    branches: [ main, master ]
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+jobs:
+  codeql-analysis:
+    name: "CodeQL Analysis (Python)"
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v3
+      with:
+        languages: python
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v3
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        upload: true
+
+    - name: Comment CodeQL Alerts on PR
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
+      uses: marocchino/sticky-pull-request-comment@v2
+      with:
+        path: results.sarif
+        header: "### :shield: CodeQL Python Security Alerts Summary"
+        layout: "group-by-file"
+        format: "markdown-table"
+        sort-severity: true
+        highlight: "Critical,High"
+        collapse: "Medium,Low"
+        max-items-per-file: 5
+        show-summary: true
+        show-file-overview: true
+        overflow-text: "+{remaining} more alerts in this file"
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
\ No newline at end of file
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
index 1cf5c058cc7..84ed5cded48 100644
--- a/.github/workflows/python.yml
+++ b/.github/workflows/python.yml
@@ -1,21 +1,29 @@
 name: Python Checks
 
-on: [pull_request, push]
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - main 
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
 
 jobs:
   Test:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v5
         with:
           python-version: '3.13'
 
       - name: Cache Python dependencies
-        id: cache-pip
         uses: actions/cache@v3
         with:
           path: ~/.cache/pip
@@ -42,4 +50,4 @@ jobs:
         run: mypy . --ignore-missing-imports || true
 
       - name: Run Pytest tests
-        run: pytest
\ No newline at end of file
+        run: pytest