diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..b7b2cf5
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,77 @@
+name: CodeQL
+
+# GitHub's free security scanner for Go source. Runs on every PR
+# against main, on every push to main, and on a weekly schedule so
+# newly-disclosed query rules catch any drift in the committed tree.
+#
+# Free on public repositories; no billing impact.
+
+on:
+  push:
+    branches: [main]
+    paths-ignore:
+      - "signatures/**"
+      - "CONTRIBUTORS.md"
+      - "**.md"
+      - ".github/images/**"
+      - "llms.txt"
+      - "llms-full.txt"
+      - "bench.txt"
+  pull_request:
+    branches: [main]
+    paths-ignore:
+      - "signatures/**"
+      - "CONTRIBUTORS.md"
+      - "**.md"
+      - ".github/images/**"
+      - "llms.txt"
+      - "llms-full.txt"
+      - "bench.txt"
+  schedule:
+    # Mondays 06:17 UTC — off the hour to avoid queueing with every
+    # other repo that schedules on :00.
+    - cron: "17 6 * * 1"
+
+permissions:
+  contents: read
+
+concurrency:
+  group: codeql-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: go
+            build-mode: autobuild
+    steps:
+      - uses: actions/checkout@v6.0.2
+
+      - uses: actions/setup-go@v6.4.0
+        with:
+          go-version: "1.26"
+          cache: true
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          # `security-and-quality` runs the standard security queries
+          # plus maintainability checks. Small library, zero runtime
+          # deps — the extra rules have negligible runtime cost.
+          queries: security-and-quality
+
+      - name: Perform CodeQL analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 37523f9..71d1f83 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -91,6 +91,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
+      attestations: write
     steps:
       # On a real release the tag has just been pushed by the `tag`
       # job, so we check it out. On a dry run no tag exists yet;
@@ -121,6 +123,15 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Attest build provenance
+        if: inputs.dry_run != true
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: |
+            dist/*.tar.gz
+            dist/*.zip
+            dist/checksums.txt
+
   proxy-warm:
     name: Warm Go module proxy
     needs: goreleaser