pypa · woodruffw · Sep 1, 2022 · Sep 1, 2022 · Sep 1, 2022
diff --git a/README.md b/README.md
@@ -1,12 +1,15 @@
 gh-action-pip-audit
 ===================
 
-[![CI](https://github.com/trailofbits/gh-action-pip-audit/actions/workflows/ci.yml/badge.svg)](https://github.com/trailofbits/gh-action-pip-audit/actions/workflows/ci.yml)
-[![Self-test](https://github.com/trailofbits/gh-action-pip-audit/actions/workflows/selftest.yml/badge.svg)](https://github.com/trailofbits/gh-action-pip-audit/actions/workflows/selftest.yml)
+[![CI](https://github.com/pypa/gh-action-pip-audit/actions/workflows/ci.yml/badge.svg)](https://github.com/pypa/gh-action-pip-audit/actions/workflows/ci.yml)
+[![Self-test](https://github.com/pypa/gh-action-pip-audit/actions/workflows/selftest.yml/badge.svg)](https://github.com/pypa/gh-action-pip-audit/actions/workflows/selftest.yml)
 
-A GitHub Action that uses [`pip-audit`](https://github.com/trailofbits/pip-audit)
+A GitHub Action that uses [`pip-audit`](https://github.com/pypa/pip-audit)
 to scan Python dependencies for known vulnerabilities.
 
+This project is maintained in part by [Trail of Bits](https://www.trailofbits.com/)
+with support from Google. This is not an official Google or Trail of Bits product.
+
 ## Index
 
 * [Usage](#usage)
@@ -18,7 +21,7 @@ to scan Python dependencies for known vulnerabilities.
 
 ## Usage
 
-Simply add `trailofbits/gh-action-pip-audit` to one of your workflows:
+Simply add `pypa/gh-action-pip-audit` to one of your workflows:
 
 ```yaml
 jobs:
@@ -28,7 +31,7 @@ jobs:
       - uses: actions/checkout@v3
       - name: install
         run: python -m pip install .
-      - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      - uses: pypa/gh-action-pip-audit@v1.0.0
 ```
 
 Or, with a virtual environment:
@@ -44,7 +47,7 @@ jobs:
           python -m venv env/
           source env/bin/activate
           python -m pip install .
-      - uses: trailofbits/gh-action-pip-audit@v1.0.0
+      - uses: pypa/gh-action-pip-audit@v1.0.0
         with:
           virtual-environment: env/
 ```
@@ -68,15 +71,15 @@ The `inputs` setting controls what sources `pip-audit` runs on.
 To audit one or more requirements-style inputs:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     inputs: requirements.txt dev-requirements.txt
 ```
 
 To audit a project that uses `pyproject.toml` for its dependencies:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     # NOTE: this can be `.`, for the current directory
     inputs: path/to/project/
@@ -104,7 +107,7 @@ Example: use the virtual environment specified at `env/`, relative to the
 current directory:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     virtual-environment: env/
     # Note the absence of `input:`, since we're auditing the environment.
@@ -124,7 +127,7 @@ installed directly into the current environment are included.
 Example:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     local: true
 ```
@@ -141,7 +144,7 @@ It's directly equivalent to `pip-audit --vulnerability-service=...`.
 To audit with OSV instead of PyPI:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     vulnerability-service: osv
 ```
@@ -156,7 +159,7 @@ It's directly equivalent to `pip-audit --require-hashes ...`.
 Example:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     # NOTE: only works with requirements-style inputs
     inputs: requirements.txt
@@ -173,7 +176,7 @@ It's directly equivalent to `pip-audit --no-deps ...`.
 Example:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     # NOTE: only works with requirements-style inputs
     inputs: requirements.txt
@@ -191,7 +194,7 @@ is rendered at the end of the action.
 Example:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     summary: false
   ```
@@ -210,7 +213,7 @@ indices to search (such as a corporate index with private packages), see
 Example:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     index-url: https://example.corporate.local/simple
 ```
@@ -225,7 +228,7 @@ indexes to search when resolving dependencies. Each URL is whitespace-separated.
 Example:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     extra-index-urls: |
       https://example.corporate.local/simple
@@ -242,7 +245,7 @@ ignore (i.e., exclude from the results) if present. Each ID is whitespace-separa
 Example
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     ignore-vulns: |
       GHSA-XXXX-YYYYYY
@@ -272,7 +275,7 @@ Example
   Example:
 
   ```yaml
-  - uses: trailofbits/gh-action-pip-audit@v1.0.0
+  - uses: pypa/gh-action-pip-audit@v1.0.0
     with:
       internal-be-careful-allow-failure: true
   ```
@@ -291,7 +294,7 @@ Example
   Example:
 
   ```yaml
-  - uses: trailofbits/gh-action-pip-audit@v1.0.0
+  - uses: pypa/gh-action-pip-audit@v1.0.0
     with:
       internal-be-careful-debug: true
   ```
@@ -308,7 +311,7 @@ If you're auditing a requirements file, consider setting `no-deps: true` or
 `require-hashes: true`:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     inputs: requirements.txt
     require-hashes: true
@@ -317,14 +320,14 @@ If you're auditing a requirements file, consider setting `no-deps: true` or
 or:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     inputs: requirements.txt
     no-deps: true
 ```
 
 See the
-["`pip-audit` takes longer than I expect!"](https://github.com/trailofbits/pip-audit#pip-audit-takes-longer-than-i-expect)
+["`pip-audit` takes longer than I expect!"](https://github.com/pypa/pip-audit#pip-audit-takes-longer-than-i-expect)
 troubleshooting for more details.
 
 ### The action shows dependencies that aren't in my environment!
@@ -338,7 +341,7 @@ by the host system itself, or other Python projects that happen to be installed.
 To minimize external dependencies, you can opt into a virtual environment:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     # must be populated earlier in the CI
     virtual-environment: env/
@@ -348,7 +351,7 @@ and, more aggressively, specify that only dependencies marked as "local"
 in the virtual environment should be included:
 
 ```yaml
-- uses: trailofbits/gh-action-pip-audit@v1.0.0
+- uses: pypa/gh-action-pip-audit@v1.0.0
   with:
     # must be populated earlier in the CI
     virtual-environment: env/