feat: transfer ownership

.github/workflows/ci.yml

@@ -5,11 +5,16 @@ on:
     branches: [main]
   pull_request:
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions:
   contents: read
 
 jobs:
   pre-commit:
+    name: Pre-commit
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -23,6 +28,7 @@ jobs:
       - run: pre-commit run --all-files --show-diff-on-failure --color=always
 
   test:
+    name: Test
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -38,11 +44,12 @@ jobs:
         run: pytest
 
   security:
+    name: Security audit
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      pull-requests: write
-      security-events: write
+      pull-requests: write # Post or update PR comments with scan results from the composite action
+      security-events: write # Upload SARIF to GitHub code scanning when the audit publishes security events
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/integration-tests.yml

@@ -230,9 +230,11 @@ jobs:
 
       - name: Record step outcome
         if: always()
+        env:
+          AUDIT_OUTCOME: ${{ steps.audit.outcome }}
         run: |
           mkdir -p outcome
-          echo "${{ steps.audit.outcome }}" > outcome/outcome.txt
+          echo "$AUDIT_OUTCOME" > outcome/outcome.txt
 
       - name: Upload outcome
         if: always()
@@ -248,7 +250,7 @@ jobs:
     needs: [integration-test]
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # Post or update the integration-test validation report on PRs
 
     steps:
       - name: Checkout action repo
@@ -298,27 +300,28 @@ jobs:
         if: always() && github.event_name == 'pull_request'
         env:
           GH_TOKEN: ${{ github.token }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           if [ ! -f validation-report.md ]; then
             echo "No report generated" >&2
             exit 0
           fi
 
           MARKER="<!-- integration-test-validation-report -->"
-          PR_NUMBER="${{ github.event.pull_request.number }}"
 
           # Find existing comment with our marker
           COMMENT_ID=$(
             gh api \
-              "repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
+              "repos/${GITHUB_REPOSITORY}/issues/${PR_NUMBER}/comments" \
               --paginate -q \
               ".[] | select(.body | contains(\"${MARKER}\")) | .id" \
             | head -n 1
           )
 
           if [ -n "$COMMENT_ID" ]; then
             gh api \
-              "repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
+              "repos/${GITHUB_REPOSITORY}/issues/comments/${COMMENT_ID}" \
               --method PATCH \
               -F "body=@validation-report.md"
             echo "Updated existing comment ${COMMENT_ID}"

.github/workflows/release-please.yml

@@ -4,15 +4,20 @@ on:
   push:
     branches: [main]
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
 permissions: {}
 
 jobs:
   release-please:
+    name: Release Please
     runs-on: ubuntu-latest
     environment: release
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # Create releases, tags, and release branches
+      pull-requests: write # Open and update pin README pull requests
     steps:
       - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
@@ -28,41 +33,48 @@ jobs:
         if: ${{ steps.release.outputs.release_created }}
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          RELEASE_MAJOR: ${{ steps.release.outputs.major }}
+          RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }}
         run: |
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
-          git tag -fa "v${{ steps.release.outputs.major }}" \
-            -m "Release v${{ steps.release.outputs.tag_name }}"
-          git push origin "v${{ steps.release.outputs.major }}" --force
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
+          git tag -fa "v${RELEASE_MAJOR}" \
+            -m "Release v${RELEASE_TAG_NAME}"
+          git push origin "v${RELEASE_MAJOR}" --force
 
       - name: Pin README to release SHA
         if: ${{ steps.release.outputs.release_created }}
         env:
           GH_TOKEN: ${{ github.token }}
+          RELEASE_SHA: ${{ steps.release.outputs.sha }}
+          RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }}
         run: |
           sed -i -E \
-            's|lhoupert/action-python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|lhoupert/action-python-security-auditing@${{ steps.release.outputs.sha }} # ${{ steps.release.outputs.tag_name }}|g' \
+            "s|developmentseed/action-python-security-auditing@[^ ]+( # v[0-9][^ ]*)?|developmentseed/action-python-security-auditing@${RELEASE_SHA} # ${RELEASE_TAG_NAME}|g" \
             README.md
           git add README.md
           git diff --cached --quiet && echo "README unchanged, skipping commit" && exit 0
-          BRANCH="chore/pin-readme-${{ steps.release.outputs.tag_name }}"
+          BRANCH="chore/pin-readme-${RELEASE_TAG_NAME}"
           git checkout -b "$BRANCH"
-          git commit -m "chore: pin README to ${{ steps.release.outputs.tag_name }}"
+          git commit -m "chore: pin README to ${RELEASE_TAG_NAME}"
           git push origin "$BRANCH"
           gh pr create \
-            --title "chore: pin README to ${{ steps.release.outputs.tag_name }}" \
-            --body "Automated: pin README SHA references to release ${{ steps.release.outputs.tag_name }}." \
+            --title "chore: pin README to ${RELEASE_TAG_NAME}" \
+            --body "Automated: pin README SHA references to release ${RELEASE_TAG_NAME}." \
             --base main \
             --head "$BRANCH"
 
       - name: Notify tests repo to update action pin
         if: ${{ steps.release.outputs.release_created }}
         env:
           GH_TOKEN: ${{ secrets.TESTS_REPO_DISPATCH_TOKEN }}
+          RELEASE_SHA: ${{ steps.release.outputs.sha }}
+          RELEASE_TAG_NAME: ${{ steps.release.outputs.tag_name }}
         run: |
           gh api repos/lhoupert/action-python-security-auditing-tests/dispatches \
             --method POST \
             -f event_type=action-release \
-            -F client_payload[sha]='${{ steps.release.outputs.sha }}' \
-            -F client_payload[tag]='${{ steps.release.outputs.tag_name }}'
+            -F "client_payload[sha]=${RELEASE_SHA}" \
+            -F "client_payload[tag]=${RELEASE_TAG_NAME}"

.github/workflows/scorecard.yml

@@ -7,17 +7,21 @@ on:
     # Weekly on Saturdays.
     - cron: "30 1 * * 6"
 
-permissions: read-all
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  actions: read # Required by Scorecard to evaluate workflow security posture
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed for Code scanning upload
-      security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
-      id-token: write
+      security-events: write # Upload Scorecard SARIF to the code scanning API
+      id-token: write # GitHub OIDC token when publish_results is true
 
     steps:
       - name: "Checkout code"

CHANGELOG.md

@@ -1,76 +1,76 @@
 # Changelog
 
-## [0.5.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.3...v0.5.0) (2026-03-30)
+## [0.5.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.3...v0.5.0) (2026-03-30)
 
 
 ### Features
 
-* add integration tests ([#42](https://github.com/lhoupert/action-python-security-auditing/issues/42)) ([437ac46](https://github.com/lhoupert/action-python-security-auditing/commit/437ac46491009a5784e6defab2a933901fe2dfe0))
+* add integration tests ([#42](https://github.com/developmentseed/action-python-security-auditing/issues/42)) ([437ac46](https://github.com/developmentseed/action-python-security-auditing/commit/437ac46491009a5784e6defab2a933901fe2dfe0))
 
-## [0.4.3](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.2...v0.4.3) (2026-03-28)
+## [0.4.3](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.2...v0.4.3) (2026-03-28)
 
 
 ### Bug Fixes
 
-* add debug logging and fix bandit multi-target separator ([#36](https://github.com/lhoupert/action-python-security-auditing/issues/36)) ([b0d01ab](https://github.com/lhoupert/action-python-security-auditing/commit/b0d01ab5838a99fe9b2a25503dbb3b01e9c6b5b2))
+* add debug logging and fix bandit multi-target separator ([#36](https://github.com/developmentseed/action-python-security-auditing/issues/36)) ([b0d01ab](https://github.com/developmentseed/action-python-security-auditing/commit/b0d01ab5838a99fe9b2a25503dbb3b01e9c6b5b2))
 
-## [0.4.2](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.1...v0.4.2) (2026-03-28)
+## [0.4.2](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.1...v0.4.2) (2026-03-28)
 
 
 ### Bug Fixes
 
-* fix inconsistencies ([#33](https://github.com/lhoupert/action-python-security-auditing/issues/33)) ([3c796ff](https://github.com/lhoupert/action-python-security-auditing/commit/3c796ff9399a22215ac0da94f0dc05d8f92e66a2))
+* fix inconsistencies ([#33](https://github.com/developmentseed/action-python-security-auditing/issues/33)) ([3c796ff](https://github.com/developmentseed/action-python-security-auditing/commit/3c796ff9399a22215ac0da94f0dc05d8f92e66a2))
 
-## [0.4.1](https://github.com/lhoupert/action-python-security-auditing/compare/v0.4.0...v0.4.1) (2026-03-28)
+## [0.4.1](https://github.com/developmentseed/action-python-security-auditing/compare/v0.4.0...v0.4.1) (2026-03-28)
 
 
 ### Bug Fixes
 
-* add bandit report to artifacts ([#27](https://github.com/lhoupert/action-python-security-auditing/issues/27)) ([8180cd7](https://github.com/lhoupert/action-python-security-auditing/commit/8180cd7e7731f985b1a9c8095b5a38bb867ae915))
+* add bandit report to artifacts ([#27](https://github.com/developmentseed/action-python-security-auditing/issues/27)) ([8180cd7](https://github.com/developmentseed/action-python-security-auditing/commit/8180cd7e7731f985b1a9c8095b5a38bb867ae915))
 
-## [0.4.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.3.2...v0.4.0) (2026-03-27)
+## [0.4.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.3.2...v0.4.0) (2026-03-27)
 
 
 ### Features
 
-* notify test repo to update action pin ([#24](https://github.com/lhoupert/action-python-security-auditing/issues/24)) ([0168484](https://github.com/lhoupert/action-python-security-auditing/commit/0168484da35bb129ded7f8184144483930ceedaa))
+* notify test repo to update action pin ([#24](https://github.com/developmentseed/action-python-security-auditing/issues/24)) ([0168484](https://github.com/developmentseed/action-python-security-auditing/commit/0168484da35bb129ded7f8184144483930ceedaa))
 
-## [0.3.2](https://github.com/lhoupert/action-python-security-auditing/compare/v0.3.1...v0.3.2) (2026-03-27)
+## [0.3.2](https://github.com/developmentseed/action-python-security-auditing/compare/v0.3.1...v0.3.2) (2026-03-27)
 
 
 ### Bug Fixes
 
-* add working directory ([#22](https://github.com/lhoupert/action-python-security-auditing/issues/22)) ([e73b876](https://github.com/lhoupert/action-python-security-auditing/commit/e73b876852e010f5bd4c659c2164d454d0410aff))
-* fix small issues with uv and poetry ([#20](https://github.com/lhoupert/action-python-security-auditing/issues/20)) ([0a4c0e9](https://github.com/lhoupert/action-python-security-auditing/commit/0a4c0e9993d082f1e29ecccb06a4fcdcbec9cbfc))
+* add working directory ([#22](https://github.com/developmentseed/action-python-security-auditing/issues/22)) ([e73b876](https://github.com/developmentseed/action-python-security-auditing/commit/e73b876852e010f5bd4c659c2164d454d0410aff))
+* fix small issues with uv and poetry ([#20](https://github.com/developmentseed/action-python-security-auditing/issues/20)) ([0a4c0e9](https://github.com/developmentseed/action-python-security-auditing/commit/0a4c0e9993d082f1e29ecccb06a4fcdcbec9cbfc))
 
-## [0.3.1](https://github.com/lhoupert/action-python-security-auditing/compare/v0.3.0...v0.3.1) (2026-03-27)
+## [0.3.1](https://github.com/developmentseed/action-python-security-auditing/compare/v0.3.0...v0.3.1) (2026-03-27)
 
 
 ### Bug Fixes
 
-* fix ci to pin update in readme ([#16](https://github.com/lhoupert/action-python-security-auditing/issues/16)) ([a97a516](https://github.com/lhoupert/action-python-security-auditing/commit/a97a51680c9e269100dc9b18f7d098bac878b4c0))
+* fix ci to pin update in readme ([#16](https://github.com/developmentseed/action-python-security-auditing/issues/16)) ([a97a516](https://github.com/developmentseed/action-python-security-auditing/commit/a97a51680c9e269100dc9b18f7d098bac878b4c0))
 
-## [0.3.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.2.0...v0.3.0) (2026-03-27)
+## [0.3.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.2.0...v0.3.0) (2026-03-27)
 
 
 ### Features
 
-* add ossf scorecard ([#13](https://github.com/lhoupert/action-python-security-auditing/issues/13)) ([b29d0ef](https://github.com/lhoupert/action-python-security-auditing/commit/b29d0ef3d8514d04240a3bce759dd783ffa40001))
+* add ossf scorecard ([#13](https://github.com/developmentseed/action-python-security-auditing/issues/13)) ([b29d0ef](https://github.com/developmentseed/action-python-security-auditing/commit/b29d0ef3d8514d04240a3bce759dd783ffa40001))
 
 
 ### Bug Fixes
 
-* bug on push events ([31e0fa0](https://github.com/lhoupert/action-python-security-auditing/commit/31e0fa0e20fadd3fc8b89bbb26efc6b5ca3557ef))
-* fix warning ([#15](https://github.com/lhoupert/action-python-security-auditing/issues/15)) ([2d95cbc](https://github.com/lhoupert/action-python-security-auditing/commit/2d95cbc2fed7ee39258437927fb78a89f84e4db2))
+* bug on push events ([31e0fa0](https://github.com/developmentseed/action-python-security-auditing/commit/31e0fa0e20fadd3fc8b89bbb26efc6b5ca3557ef))
+* fix warning ([#15](https://github.com/developmentseed/action-python-security-auditing/issues/15)) ([2d95cbc](https://github.com/developmentseed/action-python-security-auditing/commit/2d95cbc2fed7ee39258437927fb78a89f84e4db2))
 
-## [0.2.0](https://github.com/lhoupert/action-python-security-auditing/compare/v0.1.0...v0.2.0) (2026-03-27)
+## [0.2.0](https://github.com/developmentseed/action-python-security-auditing/compare/v0.1.0...v0.2.0) (2026-03-27)
 
 
 ### Features
 
-* add bandit action ([#5](https://github.com/lhoupert/action-python-security-auditing/issues/5)) ([bbde8aa](https://github.com/lhoupert/action-python-security-auditing/commit/bbde8aa5584f4aa65a173c526d2d3902ecc3a976))
+* add bandit action ([#5](https://github.com/developmentseed/action-python-security-auditing/issues/5)) ([bbde8aa](https://github.com/developmentseed/action-python-security-auditing/commit/bbde8aa5584f4aa65a173c526d2d3902ecc3a976))
 
 
 ### Bug Fixes
 
-* formatting table ([#10](https://github.com/lhoupert/action-python-security-auditing/issues/10)) ([191bf3c](https://github.com/lhoupert/action-python-security-auditing/commit/191bf3ca1b8da0fe78c086dc297279f5fe572a4f))
+* formatting table ([#10](https://github.com/developmentseed/action-python-security-auditing/issues/10)) ([191bf3c](https://github.com/developmentseed/action-python-security-auditing/commit/191bf3ca1b8da0fe78c086dc297279f5fe572a4f))