MartinCastroAlvarez · MartinCastroAlvarez · May 31, 2026 · May 31, 2026
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -13,7 +13,7 @@ GitHub Actions workflows for django-admin-react.
   checks **required** is an owner branch-protection action (#452 / #331).
 - **`codeql.yml`** — CodeQL static analysis (Python + JS/TS) on push/PR and a
   weekly schedule. This is the project's security dataflow scanner.
-- **`release.yml`** — automated PyPI publishing. Triggered when a GitHub
+- **`publish.yml`** — automated PyPI publishing. Triggered when a GitHub
   Release is **published** (a human authorises every release; the Release
   notes are the changelog entry), or manually via `workflow_dispatch` for a
   TestPyPI dry-run. Uses **PyPI Trusted Publishing (OIDC)** — no stored

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@
 # SECURITY POSTURE:
 #   - Least-privilege: top-level `contents: read`; no job needs write.
 #   - All third-party actions are pinned to a full commit SHA (a tag can
-#     be moved, a SHA cannot) — consistent with codeql.yml / release.yml
+#     be moved, a SHA cannot) — consistent with codeql.yml / publish.yml
 #     and the supply-chain hardening in #331.
 #   - This is a *gate*, not a publisher: it has no access to PyPI, no
 #     `id-token`, and no stored secrets.

diff --git a/.github/workflows/release.yml → .github/workflows/publish.yml b/.github/workflows/release.yml → .github/workflows/publish.yml
@@ -1,4 +1,4 @@
-name: release
+name: publish
 
 # Automated PyPI publishing for django-admin-react.
 #
@@ -37,7 +37,7 @@ name: release
 #      "Trusted Publisher":
 #        Owner:        MartinCastroAlvarez
 #        Repository:   django-admin-react
-#        Workflow:     release.yml
+#        Workflow:     publish.yml
 #        Environment:  pypi
 #   2. GitHub → repo Settings → Environments → create `pypi` (optionally
 #      add required reviewers so a release is approval-gated), and

diff --git a/SECURITY.md b/SECURITY.md
@@ -182,7 +182,7 @@ Every endpoint added must include all of these tests before merging:
   (`POETRY_PYPI_TOKEN_PYPI`), never in any file in the repo. The token
   is **never** echoed or logged by `scripts/deploy.sh`.
 - Releases require a **human maintainer**. The publish is driven by the
-  `release.yml` workflow (OIDC Trusted Publishing — no stored token);
+  `publish.yml` workflow (OIDC Trusted Publishing — no stored token);
   the maintainer triggers it by publishing a GitHub Release.
 - TestPyPI may be used for verification by the maintainer with a
   separate token; same hygiene rules apply.