diff --git a/.github/workflows/sec-audit.yml b/.github/workflows/sec-audit.yml
index a2eaf4b5b..20916cb67 100644
--- a/.github/workflows/sec-audit.yml
+++ b/.github/workflows/sec-audit.yml
@@ -70,6 +70,7 @@ env:
     CARGO_TERM_COLOR: always
 
 jobs:
+    # Run all security lanes on the same Blacksmith-tagged Linux pool for consistent routing.
     audit:
         name: Security Audit
         runs-on: [self-hosted, Linux, X64, blacksmith-2vcpu-ubuntu-2404]
diff --git a/.github/workflows/sec-codeql.yml b/.github/workflows/sec-codeql.yml
index 969790511..d10c12e8b 100644
--- a/.github/workflows/sec-codeql.yml
+++ b/.github/workflows/sec-codeql.yml
@@ -61,6 +61,7 @@ jobs:
               shell: bash
               run: |
                   set -euo pipefail
+                  # Keep both lanes on the Blacksmith Linux pool to avoid provider-specific routing.
                   branch="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
                   if [[ "$branch" == release/* ]]; then
                     echo 'labels=["self-hosted","Linux","X64","blacksmith-2vcpu-ubuntu-2404"]' >> "$GITHUB_OUTPUT"