diff --git a/CHANGELOG.md b/CHANGELOG.md
index fc19c55..ff1c6dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ Versions follow [Semantic Versioning](https://semver.org/).
 
 ---
 
+## [1.2.2] — 2026-03-11
+
+### Fixed
+- CI release: CHANGELOG commit moved to deploy script (pre-tag) — avoids branch protection conflict during CI.
+- CI fallback PR path for CHANGELOG commit when API commit is blocked.
+
+---
+
 ## [1.2.1] — 2026-03-11
 
 ### Security
@@ -185,32 +193,3 @@ _(initial 1.1.x series — internal stabilisation)_
 
 ### Added
 - Stripe webhooks: `invoice.paid` and `invoice.payment_failed` handlers.
-
----
-
-## [Unreleased]
-
-## [1.2.1] — 2026-03-10
-
-### Fixed
-- cryptography 43.0.0 → 46.0.5 — 3 Dependabot CVEs
-
-### Documentation
-- CHANGELOG.md + auto-update on release
-
-### Tests
-- branch chain_hash by algorithm field (legacy vs canonical_json)
-
----
-_Next changes will appear here automatically._
-
----
-
-## [1.2.1] — 2026-03-10
-
-### Security
-- **cryptography 43.0.0 → 46.0.5** — closes 3 Dependabot alerts:
-  - HIGH: subgroup attack via missing validation on SECT curves (fixed in 46.0.5)
-  - MEDIUM: vulnerable OpenSSL bundled in wheels (fixed in 43.0.1)
-  - LOW: vulnerable OpenSSL bundled in wheels (fixed in 44.0.1)
-  `cryptography` is not directly used by Trust Layer code (Fernet key derivation only) — no API change.
diff --git a/scripts/update_changelog.py b/scripts/update_changelog.py
index 75b5041..9d4f0b4 100644
--- a/scripts/update_changelog.py
+++ b/scripts/update_changelog.py
@@ -106,32 +106,23 @@ def build_entry(tag: str, commits: list[str]) -> str:
 
 def update_changelog(entry: str) -> None:
     content = CHANGELOG.read_text(encoding="utf-8")
-    marker = "## [Unreleased]"
-    if marker not in content:
-        # Append at end if marker missing
-        CHANGELOG.write_text(content.rstrip() + "\n\n" + entry, encoding="utf-8")
-        return
-
-    # Insert after the [Unreleased] block (first blank line after it)
     lines = content.splitlines(keepends=True)
     insert_at = None
-    in_unreleased = False
+
+    # Insert after the first "---" separator (end of file header block).
+    # This places new entries right after the header, before existing versions.
     for i, line in enumerate(lines):
-        if line.strip() == marker:
-            in_unreleased = True
-            continue
-        if in_unreleased and line.strip() == "":
+        if line.strip() == "---":
             insert_at = i + 1
             break
 
     if insert_at is None:
-        # Fallback: insert right after the marker line
-        for i, line in enumerate(lines):
-            if line.strip() == marker:
-                insert_at = i + 1
-                break
+        # No separator found — append after header
+        CHANGELOG.write_text(content.rstrip() + "\n\n" + entry, encoding="utf-8")
+        return
 
-    lines.insert(insert_at, entry)
+    entry_block = "\n" + entry
+    lines.insert(insert_at, entry_block)
     CHANGELOG.write_text("".join(lines), encoding="utf-8")