From e6d9f87adff9c6bc796dda79f63b27adfa61e6d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Houpert?=
 <10154151+lhoupert@users.noreply.github.com>
Date: Fri, 27 Mar 2026 14:15:13 +0000
Subject: [PATCH 1/2] fix: fix warning

---
 action.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 45832b7..d749005 100644
--- a/action.yml
+++ b/action.yml
@@ -36,10 +36,11 @@ runs:
   steps:
     - name: Run Bandit (static security analysis)
       if: contains(inputs.tools, 'bandit')
+      continue-on-error: true
       uses: lhoupert/bandit-action@18022d5292d04b21fae1bfa44597b94402ba7365
       with:
         targets: ${{ inputs.bandit_scan_dirs }}
-        level: ${{ inputs.bandit_severity_threshold }}
+        severity: ${{ inputs.bandit_severity_threshold }}
 
     - name: Set up uv
       uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0

From 56632630047bccb2b7d4747c5aa7bd92fce40081 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Houpert?=
 <10154151+lhoupert@users.noreply.github.com>
Date: Fri, 27 Mar 2026 14:25:18 +0000
Subject: [PATCH 2/2] fix: fix security issues

---
 .github/workflows/ci.yml             |  9 ++++++---
 .github/workflows/release-please.yml |  7 ++++---
 SECURITY.md                          | 23 +++++++++++++++++++++++
 uv.lock                              |  2 +-
 4 files changed, 34 insertions(+), 7 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1cc08a4..b0aa4a5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,8 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.13'
-      - run: pip install pre-commit                                                                                                                                                                                                
+      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1
+      - run: uv pip install --system pre-commit==4.2.0
       - run: pre-commit run --all-files --show-diff-on-failure --color=always
   
 
@@ -31,8 +32,9 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.13'
+      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1
       - name: Install package and dev dependencies
-        run: pip install -e ".[dev]"
+        run: uv pip install --system -e ".[dev]"
       - name: Run tests
         run: pytest
 
@@ -45,8 +47,9 @@ jobs:
       - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.13'
+      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.3.1
       - name: Install zizmor
-        run: pip install zizmor
+        run: uv pip install --system zizmor==1.6.0
       - name: Run zizmor
         run: zizmor --min-severity medium .github/
 
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 3a01180..3fa91c6 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -4,13 +4,14 @@ on:
   push:
     branches: [main]
 
-permissions:
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..fff20f0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| latest  | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly.
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Instead, please use [GitHub's private vulnerability reporting](https://github.com/lhoupert/action-python-security-auditing/security/advisories/new) to submit your report.
+
+### What to expect
+
+- **Acknowledgement** within 48 hours of your report.
+- **Status update** within 7 days with an assessment and remediation timeline.
+- **Credit** in the release notes (unless you prefer to remain anonymous).
+
+Thank you for helping keep this project and its users safe.
diff --git a/uv.lock b/uv.lock
index 243d792..df5d510 100644
--- a/uv.lock
+++ b/uv.lock
@@ -566,7 +566,7 @@ wheels = [
 
 [[package]]
 name = "python-security-auditing"
-version = "0.1.0"
+version = "0.2.0"
 source = { editable = "." }
 dependencies = [
     { name = "pip-audit" },