diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 25bb464..5e88618 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -33,8 +33,8 @@ env:
 jobs:
   codeql:
     name: CodeQL Analysis
-    runs-on: ubuntu-latest
-    continue-on-error: true  # CodeQL OOM on large Android projects with 7GB runner limit
+    runs-on: [self-hosted, wallet]
+    if: github.event_name == 'push'  # Only run on push, not PRs (self-hosted security)
 
     steps:
       - name: Checkout