diff --git a/.github/workflows/dotnet-ci.yml b/.github/workflows/dotnet-ci.yml
index 5eb3c26..d3c0690 100644
--- a/.github/workflows/dotnet-ci.yml
+++ b/.github/workflows/dotnet-ci.yml
@@ -43,6 +43,13 @@ on:
         type: number
         required: false
         default: 20
+      submodules:
+        description: >
+          Checkout submodules. Pass 'true' for top-level,
+          'recursive' for nested, or '' to skip (default).
+        type: string
+        required: false
+        default: ""
 
 permissions:
   contents: read
@@ -61,6 +68,8 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          submodules: ${{ inputs.submodules }}
       - uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4
         with:
           dotnet-version: ${{ inputs.dotnet-version }}
@@ -94,6 +103,8 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          submodules: ${{ inputs.submodules }}
       - uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4
         with:
           dotnet-version: ${{ inputs.dotnet-version }}
@@ -119,6 +130,8 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          submodules: ${{ inputs.submodules }}
       - uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4
         with:
           dotnet-version: ${{ inputs.dotnet-version }}
diff --git a/.github/workflows/required.yml b/.github/workflows/required.yml
index d6f89a3..d234d5e 100644
--- a/.github/workflows/required.yml
+++ b/.github/workflows/required.yml
@@ -88,6 +88,13 @@ on:
         type: string
         required: false
         default: ""
+      submodules:
+        description: >
+          Checkout submodules for language-CI and CodeQL jobs. Pass 'true'
+          for top-level, 'recursive' for nested, or '' to skip (default).
+        type: string
+        required: false
+        default: ""
 
 permissions:
   contents: read
@@ -124,6 +131,7 @@ jobs:
       languages: ${{ inputs.codeql-languages }}
       enable-semgrep: ${{ inputs.enable-semgrep }}
       enable-gitleaks: ${{ inputs.enable-gitleaks }}
+      submodules: ${{ inputs.submodules }}
     secrets: inherit
 
   rust:
@@ -167,6 +175,7 @@ jobs:
       dotnet-version: ${{ inputs.dotnet-version }}
       solution: ${{ inputs.dotnet-solution }}
       working-directory: ${{ inputs.working-directory }}
+      submodules: ${{ inputs.submodules }}
 
   cpp:
     needs: [validate-lang]
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 957cccc..7387c2b 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -64,6 +64,13 @@ on:
         type: boolean
         required: false
         default: true
+      submodules:
+        description: >
+          Checkout submodules for the CodeQL job (autobuild may need them).
+          Pass 'true' for top-level, 'recursive' for nested, or '' to skip.
+        type: string
+        required: false
+        default: ""
 
 permissions:
   contents: read
@@ -92,6 +99,8 @@ jobs:
         with:
           egress-policy: audit
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          submodules: ${{ inputs.submodules }}
       - name: Initialize CodeQL
         uses: github/codeql-action/init@5c8a8a642e79153f5d047b10ec1cba1d1cc65699  # v3
         with: