diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
index 92be34e..55acdee 100644
--- a/.github/workflows/code-scan.yml
+++ b/.github/workflows/code-scan.yml
@@ -5,6 +5,14 @@ on:
         required: false
         type: boolean
         default: true
+      codeql-build-cmd:
+        required: false
+        type: string
+        default: 'V=1 make build'
+      codeql-build-mode:
+        required: false
+        type: string
+        default: ''
 
 permissions:
   actions: read
@@ -15,3 +23,6 @@ jobs:
   codeql:
     if: inputs.run-codeql
     uses: ./.github/workflows/codeql-analysis.yml
+    with:
+      codeql-build-cmd: ${{ inputs.codeql-build-cmd }}
+      codeql-build-mode: ${{ inputs.codeql-build-mode }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b2740ef..e14449d 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -10,6 +10,10 @@ on:
         required: false
         type: string
         default: 'V=1 make build'
+      codeql-build-mode:
+        required: false
+        type: string
+        default: ''
       goprivate:
         required: false
         type: string
@@ -99,6 +103,7 @@ jobs:
         uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           languages: ${{ matrix.language }}
+          build-mode: ${{ inputs.codeql-build-mode }}
           queries: security-and-quality     # use Canonical suite
           packs: codeql/go-queries          # and pin the official pack explicitly
       -
@@ -107,7 +112,12 @@ jobs:
         run: |
           make bootstrap
       -
+        # Run only when the selected build mode expects a manual build:
+        # - '' (unset) keeps legacy behavior for existing callers.
+        # - 'manual' means the caller wants this step to drive the build.
+        # 'autobuild' and 'none' are handled by codeql-action itself, so we skip.
         name: Build
+        if: inputs.codeql-build-mode == '' || inputs.codeql-build-mode == 'manual'
         env:
           CODEQL_BUILD_CMD: ${{ inputs.codeql-build-cmd }}
         run: |
diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml
index 66bf7b4..00660d0 100644
--- a/.github/workflows/goCI.yml
+++ b/.github/workflows/goCI.yml
@@ -9,6 +9,10 @@ on:
         required: false
         type: string
         default: 'V=1 make build'
+      codeql-build-mode:
+        required: false
+        type: string
+        default: ''
       codeql-make-bootstrap:
         required: false
         type: boolean
@@ -117,6 +121,7 @@ jobs:
       os-dependencies: ${{ inputs.os-dependencies }}
       codeql-make-bootstrap: ${{ inputs.codeql-make-bootstrap }}
       codeql-build-cmd: ${{ inputs.codeql-build-cmd }}
+      codeql-build-mode: ${{ inputs.codeql-build-mode }}
     secrets:
       SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
       PAT: ${{ secrets.PAT }}