diff --git a/.github/actions/run-change-detection/action.yaml b/.github/actions/run-change-detection/action.yaml
index a6541f9c..e6161a6f 100644
--- a/.github/actions/run-change-detection/action.yaml
+++ b/.github/actions/run-change-detection/action.yaml
@@ -37,17 +37,18 @@ outputs:
 runs:
   using: "composite"
   steps:
+    # This action is never called from a pull_request_target workflow;
+    # all callers use pull_request, issue_comment, workflow_dispatch, or
+    # workflow_call triggers.  Even if it were called from
+    # pull_request_target, the empty sparse checkout below ensures no
+    # files from the ref are materialized on disk — only git objects are
+    # fetched — so no code from the PR is ever executed.
     - name: Check out source code
+      # codeql[actions/untrusted-checkout/medium]
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         path: ${{ inputs.checkout-path }}
-        # This action is never called from a pull_request_target workflow; all callers
-        # use pull_request, issue_comment, workflow_dispatch, or workflow_call triggers.
-        # Even if it were called from pull_request_target, the empty sparse checkout
-        # below ensures no files from the ref are materialized on disk — only git
-        # objects are fetched — so no code from the PR is ever executed.
-        # codeql[actions/untrusted-checkout/medium]
         ref: ${{ inputs.ref }}
         repository: ${{ inputs.repo }}
         persist-credentials: false